Authentication

This page covers common authentication problems including JWT token issues, component registration failures, and user login problems.

JWT Token Expired

Symptom: API calls return 401 Unauthorized with message Token is expired.

Solution:

  1. Request a new token:

    
    curl -k -X POST https://<host>:<port>/api/auth \
      -H "Content-Type: application/json" \
      -d '{"username":"admin","password":"your_password"}'
    
    

  2. Or refresh before expiry:

    
    curl -k -X GET https://<host>:<port>/refresh_token \
      -H "Authorization: Bearer <current_token>"
    
    

Token lifetimes:

  • User tokens: 15 minutes
  • Component tokens: 60 days
  • Long-lived tokens: 1 year or 15 years

Component Cannot Authenticate with Webserver

Symptom: Monitor, Integrator, or Sentinel Agent cannot communicate with the Webserver. Logs show authentication errors.

Possible causes:

1. JWT Token Expired or Desynchronized

The Webserver automatically refreshes component tokens every 14 minutes. If this process fails:

  • Check the Webserver logs for token refresh errors
  • Manually resynchronize tokens from the Web UI: Components > select component > Push Settings
  • Or re-register the component:

# Re-register the component
./monitor register <webserver_ip>:<port>

2. RSA Key Mismatch

If a component’s RSA key pair doesn’t match what the Webserver has stored:

  1. Delete the component from the Webserver UI
  2. Re-register: ./monitor install <webserver_ip>:<port>
  3. The component generates new keys and sends them during registration

3. Clock Skew

JWT tokens are time-sensitive. If the system clocks are out of sync by more than a few minutes:

  • Synchronize clocks using NTP on all hosts
  • Check with: date (Linux) or w32tm /query /status (Windows)

User Cannot Log In

Symptom: Login fails with “incorrect Username or Password”.

Possible causes:

  1. Wrong password – Passwords are case-sensitive
  2. Account disabled – Check if the user account is enabled in Administration > Users
  3. LDAP issues – If using LDAP authentication, verify LDAP connectivity in Settings

Reset Admin Password

If you’ve lost the admin password, you can reset it via the API using a component token:


# Get a component token (requires access to the Webserver host)
TOKEN=$(curl -s -k -X POST https://localhost:8050/loginComponent \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"current_or_internal_pwd"}' \
  | jq -r '.token')

# Update the password
curl -k -X PATCH https://localhost:8050/api/users \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"new_secure_password"}'


Rate Limiting

Symptom: Login attempts return 429 Too Many Requests.

Cause: Authentication endpoints are rate-limited to 10 attempts per IP per 5-minute window.

Solution: Wait 5 minutes and try again. If using automation, implement token caching and refresh instead of re-authenticating on every request.


Certificate Authentication Errors

Symptom: x509: certificate signed by unknown authority or tls: bad certificate.

Solution:

  1. Ensure certificates are exchanged between components:

    
    # Reload certificates on the component
    curl -k -X GET https://<component>:<port>/reloadCertificates \
      -H "Authorization: Bearer <token>"
    
    

  2. Or re-register the component to exchange new certificates:

    
    ./monitor register <webserver_ip>:<port>
    
    

See Communication Issues for more certificate troubleshooting.

See also

Translations