Pivotal Knowledge Base


"Error in Save HTTP Request" Message seen in CFOps


Pivotal Cloud Foundry® (PCF) versions 1.7 and 1.8


On installing CFOps (PCF backup and restore tool) in the environment, issues were encountered while executing a backup or restore. The following error message was seen:

error in save http request {"error":"Your UAA access token has expired and Your UAA access token does not have either \"opsman.admin\" or \"opsman.user\" scope"}


1. This is an authentication problem encountered during the CFOps backup/restore execution. Check the command for user/password verification.

  • Verify the usernames and passwords being used in the command are correct.
  • --opsmanageruser <value>
  • --opsmanagerpass <value> 
  • --adminuser <value>
  • --adminpass <value>
  • Note: If your Ops manager password has special characters, such as a $, put single-quotes around the password. Example: --opsmanagerpass 'pa$$word'

2. The FQDN of the Ops Manager must be used for the --opsmanagerhost flag.

  • CFOps backup --opsmanagerhost <FQDN> --opsmanagerpass <value>
  • Example: cfops backup --opsmanagerhost ops.manager.dev.test.com --opsmanagerpass password

3. Use the UAA cli (UAAC) to obtain a token using the authentication credentials from the CFOps command. This will confirm if the credentials used are valid:

  • If UAAC is not installed, click the UAAC link above this line to install the utility and then follow the next step. Another option is to connect via SSH to the Ops Manager VM. UAAC is installed on the Ops Manager VM by default in PCF 1.7 or higher.
  • uaac target https://YOUR_OPSMAN_FQDN/uaa --ca-cert YOUR_ROOT_CA.crt
  • Root certificate can be found on the Ops Manager VM at the following location:  
  • Use the "--skip-ssl-validation" flag if necessary.
  • uaac token owner get
  • Enter "opsman" for Client ID
  • Press enter for Client secret to leave it blank
  • The username is the admin username to log into the Ops Manager web interface
  • Password is the admin password to log on to the Ops Manager web interface
  • If the token was fetched successfully, then you will see "Successfully fetched token via owner password grant."
  • Run uaac context and verify that opsman.admin or opsman.user are in the scope line
  • example:  scope: clients.read opsman.user uaa.admin scim.read opsman.admin clients.write scim.write
  • If the user lacks the appropriate permissions, then follow the steps below to add them. Additional information about managing user permissions through the uaac cli be found here.
uaac client update admin --authorities "EXISTING-PERMISSIONS ADDITIONAL-PERMISSION"
  • Existing permissions are listed when running "uaac context" as listed above.
  • An example of adding "opsman.admin" to the admin scope is shown below:
uaac client update admin --authorities "clients.read opsman.user uaa.admin scim.read clients.write scim.write opsman.admin"


Follow the checklist above and resolve issues if found. Please open a ticket with Pivotal Support if unable to identify the problem using the steps above.

Additional Information

For further information, please refer to the following resource: 




Powered by Zendesk