Maximo

 View Only

 Support of /maximo/api/login in MAS9

Neha C's profile image
Neha C posted Thu October 23, 2025 12:55 PM

We have some BOTs that use /maximo/api/login?lean=1 to create a session in Maximo for performing workflow-related actions in Maximo 7.6.1.2. However, after migrating to MAS 9.0, this approach no longer works. Do you have any suggestions on how to achieve similar functionality in MAS?

Vijayalakshmi Mane's profile image
Vijayalakshmi Mane posted Mon October 27, 2025 08:32 AM

Hello Neha,

What type of authentication are you currently using? I assume it’s Maximo Native (MAXAUTH). If that’s the case, you’ll need to switch to API keys now.

You can pass your API key as a parameter just like you do with Lean, for example:
apikey=<APIKEY>

Hope this helps!

Piotr Ozaist's profile image
Piotr Ozaist posted Tue October 28, 2025 04:26 AM
Hi Neha!
I used to have similar challenge after migration from 7613 to MAS with set of JMeter performance tests, which responsibility were to automatically login to Maximo, search and open Work Orders, assets, etc.
I don't know how much does it correspond to your problem, because you haven't provided further details, but maybe you will find information below useful.
 
In general, the biggest difference while logging in into Maximo 7613 vs MAS was that in Maximo 7631 it was enough to call Maximo address to authenticate and in MAS you need to call first MAS Suite Authentication and later MAS Manage
 
For Maximo 7613 we need one address:
  • Maximo <maximo_hostname> - example: maximo.customer.com
and the process looks like
  1. GET call to <maximo_hostname>/maximo/webclient/login/login.jsp
  2. POST call to <maximo_hostname>/maximo/j_security_check (passing j_username and j_password values)
  3. GET call to <maximo_hostname>/maximo/ui/maximo.jsp
 
For MAS we need two addresses:
  • MAS Suite <suite_hostname> - example: auth.prod.apps.mas.customer.com
  • MANAGE address <manage_hostname> - example: prod.manage.prod.apps.mas.customer.com
 
and the process there:
  1. GET call to <suite_hostname>/login
  2. GET call to <manage_hostname>/maximo/oslc/graphite/manage-shell/index.html
  3. POST call to <suite_hostname>/js/j_security_check (passing j_username and j_password values)
  4. GET call to <manage_hostname>/maximo/ui
 
Please observe that some of call details and order may be related to the way how JMeter works, but I still hope it may somehow help you in your case!
 
Regards!
Piotr
Scott Mahon's profile image
Scott Mahon posted Tue October 28, 2025 10:27 AM

The APIKey option is the best choice for when you are doing non-interactive work.  Putting the apikey in the query parameter however sends it out in the clear as free text.  So its security is a bit limited :).  If your task is non-interactive, then the apikey is best passed in the Message Header.

Piotr's words well with MAS when you need an interactive session.

I spend most of my time on the non-interactive side, so while I recognize that Piotr's answer is the one IBM recommends, I also know that if you add SAML or LDAP into the authentication mix there may be some changes.  I think those two require "Form Based" authentication.

Jason VenHuizen's profile image
Jason VenHuizen IBM Champion posted Tue October 28, 2025 10:59 AM

Just a quick note about what Scott said, the part about putting the API key in the header versus the URL has no real security impact.  Both are in the clear if you aren't using SSL. The header isn't "visible", but it is in clear text in the request so any competent attacker is going to find it just as easily as if it were in the URL. 

Scott Mahon's profile image
Scott Mahon posted Tue October 28, 2025 12:03 PM

Thanks for the extra education, Jason!  I know that I can personally find the key much easier as a query parameter than within the header, so you don't need to be even close to competent .. I have Level 0 hacking skills.

Daniel Cristea's profile image
Daniel Cristea posted Wed October 29, 2025 06:42 AM

Hi Neha, 

You need to update your BOTs' API Calls

Instead of making a separate login call to establish a session, your BOTs will now authenticate on every request by including the API Key in the HTTP request header. This creates a silent, stateless connection.

  • Authentication Method: Pass the generated API Key in a request header.

  • Header Name: apikey

  • Header Value: The long API key string generated in step 1.

Example Request Structure (using a POST for a workflow action):

Element MAS 9 Approach 
Login Step NO dedicated login step.
Action URL POST **{MAS_MANAGE_ROOT}**/maximo/api/os/mxasset
Header (Auth) apikey: <YourGeneratedAPIKey>
Header (Action) x-method-override: SYNC (remains the same)

Postman example:

cURL example: 

curl --location 'https://<maximo_hostname>/maximo/api/os/mxasset?lean=1&ignorecollectionref=1&oslc.select=*&oslc.where=ASSETNUM%3D%2211400%22'' \
--header 'apikey: ••••••'

Hope this helps

Daniel Cristea's profile image
Daniel Cristea posted Wed October 29, 2025 07:02 AM

Hi Neha,

Hope the above answer clarify you.

Related Content