502 Bad Gateway While Getting Started with API

[itsGreghere]

Apologies in advance if this isn't the best way to request help. Let me know if there's another and I'd be happy to use that instead.

Background:
I am working on a campus project with 12 buildings where we've been extracting, processing & analyzing energy trend data from Metasys to provide regular energy reports. They just upgraded to 10.1 and purchased and installed the API. We have python applications that are processing the data, and are trying to develop a new data extractor using the API. I've reviewed all of the documentation, but it doesn't address the initial steps to install/activate the API on the server so we can start sending requests.

Issue:
Receiving a 502 Bad Gateway response using both Python (see below) and CURL from command line (trying to follow Historian example).

Python 3 Code:

from urllib.parse import urlencode
import urllib3
import requests

username = 'xxx'
password = 'xxx'

url = "http://xxx.xxx.xx.xxx/api/v2/login"
data = {"username": username, "password": password}
headers = {'Content-Type': 'application/json'}
response = requests.post(url, data=data, headers=headers)
print(response)

(I replaced host IP address and login credentials with x's)
The IP address we're using is the same one we've been using in Launcher to log into Metasys. The tech who activated the API sent a screenshot of another IPv4 address, but we just get a TimeoutError using that one ("A connection attemp failed because the connected party did not preoprly respond...").

[michaelgwelch]

@itsGreghere I was just notified of this issue. This is an okay place to log an issue. I think I may have been notified if you would have used the api-docs repo instead.

Regardless let me see if I can help you.

I've not used python so I may have to give it a try to see if the code you've written should work.

but it doesn't address the initial steps to install/activate the API on the server so we can start sending requests.

Depending on which APIs you want to use you may need a license. But let's deal with that after we get past your login issues. It requires nothing special to login.

I'll try using your code to see if I see any issues with it.

[michaelgwelch]

A couple of issues I've noted.

1. I have no idea why you are ever getting a 502 error. That makes no sense on a login. I'd double check the request isn't going somewhere else instead of your metasys server. (Any proxy servers configured?)The IP address you use in Launcher would be correct. It doesn't explain the 502 error however.
2. You must use https in your url
3. In your call to requests.post you should use the json argument rather than the data argument to ensure the payload is encoded in JSON. If you inspect the request.body property of the response in the debugger it'll show body:'username=myusername&password=mypassword' which is not a correctly formatted JSON payload. So here's the line I used: response = requests.post(url, json=data, headers=headers)
4. Finally, does your client trust the ssl cert on your server? If not, then there should be some guidance in the install docs to explain how to configure your client to trust your server's cert. For debugging purposes you can turn off SSL verification response = requests.post(url, json=data, headers=headers, verify=False) but this is absolutely not recommend on a production site. It could allow a man-in-the-middle attack to steal your credentials.

[michaelgwelch]

So if you are using a self signed cert you'll need to tell python to trust that cert. I don't recall how to get the actual pem file from a server. You can probably use curl to do it. Then you can tell requests to trust that cert https://stackoverflow.com/a/30405947/697188 by explicitly setting the value of verify to the path of the pem file on your client machine.

[itsGreghere]

@michaelgwelch Thanks for the responses! I'm going to try your suggestions and see if we can make any further progress.

I am not a networking expert by any means, but it seems like the 502 error might mean we're not getting routed to the Metasys server. Do you know if the Launcher IP address is a proxy server? Assuming it's redirecting us to the local IP address on the network, would that be the same server/IP-address/port that we'd want to use for the API? The other thing we've been trying is VPN onto the network and use the local IP address, but we just get timeout errors there..

Is there an easy way to test the API locally, through a browser or something from a computer on the local network? I'm not on-site but could get help from someone who is, and that could help rule out whether it's a network issue rather than with the server/API.

[michaelgwelch]

but it seems like the 502 error might mean we're not getting routed to the Metasys server.

I agree with you. (Just an FYI that it is possible for Metasys Server to return a 502. For example when reading objects the server may need to forward a request to an NAE. If that NAE is offline or non-responsive then the server could return a 502. But, that would never happen on a login).

Do you know if the Launcher IP address is a proxy server?

The other thing we've been trying is VPN onto the network and use the local IP address, but we just get timeout errors there..

Is there an easy way to test the API locally, through a browser or something from a computer on the local network?

These three separate comments have me a little confused about your setup. If you are not on site, I'd expect you would have to use the VPN. You may have to give me more specifics about how you are setup. You may have to check with your site administrator.

Where are you running Launcher from? Are you running that off-site without being on VPN and it's connecting to the server? I"m not sure how that would be possible but I guess it could suggest some sort of a proxy server. Or perhaps the site in question is addressable on the internet? (Typically we wouldn't recommend this for a production site). If it is on the internet then you'd probably be going thru some sort of proxy server.

Is there an easy way to test the API locally

Not sure what that means. You need to be able to send requests to the server so you need to be "on the same network". If you want to use a computer on the remote network you can use VPN and then Remote Desktop into the other computer and then use curl, powershell, postman or your python scripts.

I can tell you that as our day to day work doing development/testing on Metasys we use VPN to get on our company network and then can call the API from our "at-home" computers to our "on-site" devices/servers.

I guess I'd start with asking the site administrator to verify the IP address/hostname of the Metasys Server. Then I'd make sure you can access that ip or hostname when on VPN.

So to summarize I think we need to get a better handle on your networking situation before we can tackle the API.

[itsGreghere]

You may have to give me more specifics about how you are setup.

The server is on the site which is a university campus with their own network. I am remote using my laptop.
When using Launcher, I enter the IP/Host Name (169.xxx.xx.xxx) and my login credentials and I'm in - no VPN.
I also have a different IP address (10.xx.x.xxx) for the server, obtained by running ipconfig at the server machine itself. I have credentials from the university that do let me login to their network using their VPN software.

Using the Launcher IP address, we are able to get the 502 error.
Using the VPN and local IP address, we only get timeout errors - no 502.

I guess I'd start with asking the site administrator to verify the IP address/hostname of the Metasys Server.

Then I'd make sure you can access that ip or hostname when on VPN.

These steps make sense. I'll see if we can double check the IP address using ipconfig, and that should confirm the first part. I'll try to find a way to validate that I can "see" the server's IP address once on the network. If I can do that, I'd have to assume the problem lies with the setup of the server / API itself.

Thanks again for helping step through these details.

[itsGreghere]

I forgot to add.. We did try all the suggestions in your previous posts. They look to be very useful, so thank you.. I look forward to getting into the API to make sure of them.

[itsGreghere]

One more thing I tried is connecting to the site's network using VPN, then using arp -a in the command prompt to view IP addresses visible. 30 addresses showed up, none matching either of the two I have (although one matched the first 3 bits of the Launcher IP address).

I also tried ping [ip address] -t using both of the IP's I have, and it timed out on both.

Not sure if this is helpful or not.. I'm guessing the university wouldn't allow me to see EVERY device on the network.

[michaelgwelch]

When using Launcher, I enter the IP/Host Name (169.xxx.xx.xxx)

Very interesting. 169 addresses generally aren't "real" ip addresses. At least not 169.254 addresses. Who setup your laptop, or the launcher instance on your laptop? What do you see when you select this site in Launcher and click the wrench to see settings? I bet you see a proxy server setup in this section of the dialog:

I'm curious if that dialog/proxy include credentials for the proxy. Often times they look like user:password@ip:port. If that is the case then you'd need to configure your http client to work with a proxy and use those same proxy credentials to get past your 502 error.

[itsGreghere]

The Launcher setup was just installing the software, plugging in the IP/Host Name (provided by JCI FM team) and then logging in with my credentials. When I open the settings, my proxy selection is "none" like yours. Nothing in the Host : Port boxes.

I'm happy to share more specific info, but not on a public repo. I contacted you on LinkedIn or if you email me at gcollins -at- zeroenvy.com I can reply with specific screenshots.