As reported by the open source VI Java API community, a bug came to my attention. It’s related to the Client REST API which is a powerful hack with vSphere MOB based on a little secret. Started in vSphere 4.1 update 1, things started to break if you want to call a method with the REST API while retrieving properties continues to work.
It turns out that for better security (CSRF) a new hidden input field is added into the form for submitting a method call to the server. The hidden field is as follows:
Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.
<input name=”vmware-session-nonce” type=”hidden” value=”52f3d5cc-5664-6d09-cd3a-73869a2de488″>
When submitting back the form, this field must be included as any other parameters. If it’s missing, the server would complain and nothing gets done.
Server returned HTTP response code: 403 for URL: https://<ip>/mob/?moid=<vm>&method=rename
To fix the problem is relatively easy. First, check if there is any hidden field called vmware-session-nonce in the method call page. If non-existing, just do things as before; otherwise move on to second step, which is to include the key and value pair in submission before any other parameters.
If you are interested in knowing more, check out this code here in code repository.
Once again, I would like to emphasize that this REST API is not an official API. At best, it’s a workable hack.