1 2 Previous Next 17 Replies Latest reply on Sep 22, 2017 3:58 AM by Kerryn Wood

    API: Adding the credentials: User, password and the server IP?

    Jan-Philipp Henkel

      Hello experts

       

      we have a requirement to add via API the credentials for each server so User and password and the server IP via Unix curl command?

      Please let me know about a solution and a example of such a request.

       

      Thanks a lot!

      Best regards

      Jan-Philipp

        • 1. Re: API: Adding the credentials: User, password and the server IP?
          Andrew Waters

          I presume you mean you want to use the REST API.

           

          The first choice to make is you are specifically provided a user name and password to a script or embedded an authentication token in the script (docs).

           

          So you want a single IP address with a username and password? What protocol are you expecting to use?

          2 of 2 people found this helpful
          • 2. Re: API: Adding the credentials: User, password and the server IP?
            Jan-Philipp Henkel

            Hello Andrew

            Yes I mean the Rest API for credentials.

            I know the documents but there is no example which supports our requirement to add a IP and the credentials and further to delete the credential entry.

            Do you've such an example for a Unix curl request for us?

             

            Please let us know,

            Thanks a lot!

            • 3. Re: API: Adding the credentials: User, password and the server IP?
              Andrew Waters

              Assuming you have a token then

              curl -k -X POST --header 'Authorization: Bearer <token>' https://<appliance>/api/v1.0/vault/credentials -d '{ "ip_range" : "1.2.3.4", "types" : ["ssh"], "username" : "user", "password" : "pass" }'

              will create an ssh credential for 1.2.3.4 with username user and password pass. This returns uri of the credential and the uuid, the unique identity of the credential. Deletion is simpler

              curl -k -X DELETE --header 'Authorization: Bearer <token>' https://<appliance>/api/v1.0/vault/credentials/<uuid>

              where uuid is the unique identity of the credential to be deleted.

               

              Obviously you need sufficient rights as the REST API user for this to work.

              3 of 3 people found this helpful
              • 4. Re: API: Adding the credentials: User, password and the server IP?
                Jan-Philipp Henkel

                Hello Andrew

                Sorry I don't know how to generate a Token by using curl.

                Please let us know the complete way to add and delete a Windows Credential in ADDM by using the Web API.

                Thanks a lot!

                • 5. Re: API: Adding the credentials: User, password and the server IP?
                  Andrew Waters

                  That depends - are you planning to use a specific API account, in which case you can get the token from the UI, or are you using a user name and password and needing to dynamically generate a token.

                  2 of 2 people found this helpful
                  • 6. Re: API: Adding the credentials: User, password and the server IP?
                    Jan-Philipp Henkel

                    Hello Andrew

                     

                    Now it is working (I will post the results later).

                    How is it possible having only a WEB API user which has no rights for the GUI login?

                    We need just a script user.

                     

                    The test user I used, is a normal user with admin rights (username and password).

                    The user definition for a Web Api user is just the name but without a password but then the API usage is not known.

                    At both ways:

                    1. dynamic token

                    2. fixed token

                    the username and the password is needed but how we can disable the GUI login?

                     

                    Please let us know by using Unix and curl.

                    • 7. Re: API: Adding the credentials: User, password and the server IP?
                      Brice-Emmanuel Loiseaux

                      "The test user I used, is a normal user with admin rights (username and password)."

                       

                      This looks like the problem. Your user should be a API Access type which only belongs to two groups, api_access and never_deactivate. Read again Managing system users - BMC Discovery 11.1 - BMC Documentation

                      1 of 1 people found this helpful
                      • 8. Re: API: Adding the credentials: User, password and the server IP?
                        Andrew Waters

                        Yes - you can have an account which has REST API access but not UI access. By default, as Brice says, you create a API access user.

                         

                        Specifically:

                        * for REST API access you need api/access (the api_access group contains this + various datastore rights),

                        * normally you want the never_deactivate group (which only has security/user/never_deactivate) as by default if you do not log into the UI for 60 days it will deactivate the account. This prevent this for the account.

                        * to stop UI access you need to ensure you do not give the appserver/login permission.

                        2 of 2 people found this helpful
                        • 9. Re: API: Adding the credentials: User, password and the server IP?
                          Jan-Philipp Henkel

                          Hello Andrew and Brice-Emmanuel

                           

                          I can add such a user but now the API process did not work because the need a password:

                          USER="svc_addm_api_script"

                          PWD=""

                          ADDM_SERVER="server.germany.de"

                          TOKEN=$(curl -s --insecure -i -X POST -d "grant_type=password&username=${USER}&password=${PWD}" https://${ADDM_SERVER}/api/token | grep "access_token"|awk -v FS=": " '{print $2}'|tr -d '"'|tr -d ","|sed 's/ $//g')

                          echo "TOKEN>"$TOKEN"<"

                           

                           

                           

                          So here the Token is empty with such a user.

                          Do I miss something?

                          • 10. Re: API: Adding the credentials: User, password and the server IP?
                            Kerryn Wood

                            If you're not getting anything back at all try adding -S -v (verbose options) to see the output.

                             

                            Some of the potential issues with curl is that a lot depends on the distribution you're using, how it was built, etc. Most likely, it's possible that your client side is trying too low a version of SSL/TLS. Try adding --tlsv1.2, e.g

                             

                            curl --tlsv1.2 -s --insecure -i -X POST -d "grant_type=password&username=${USER}&password=${PWD}"https://${ADDM_SERVER}/api/token

                            1 of 1 people found this helpful
                            • 11. Re: API: Adding the credentials: User, password and the server IP?
                              Andrew Waters

                              You don't need a password. You get the authorization token directly from the UI (see docs). It is permanent. You can then just use it in the script.

                              • 12. Re: API: Adding the credentials: User, password and the server IP?
                                Jan-Philipp Henkel

                                I got this back:

                                 

                                curl -S -v --insecure -i -X POST -d "grant_type=password&username=svc_addm_api_script&password=" https://iasv0190.ww-intern.de/api/token

                                * About to connect() to iasv0190.ww-intern.de port 443 (#0)

                                *   Trying 172.22.156.59... connected

                                * Connected to iasv0190.ww-intern.de (172.22.156.59) port 443 (#0)

                                * Initializing NSS with certpath: sql:/etc/pki/nssdb

                                * warning: ignoring value of ssl.verifyhost

                                * skipping SSL peer certificate verification

                                * NSS: client certificate not found (nickname not specified)

                                * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

                                * Server certificate:

                                *       subject: CN=iasv0190.ww-intern.de,OU=IEV,O=WW Informatik GmbH,L=Ludwigsburg,ST=BW,C=DE

                                *       start date: Aug 22 07:33:58 2016 GMT

                                *       expire date: Aug 20 07:33:58 2026 GMT

                                *       common name: iasv0190.ww-intern.de

                                *       issuer: CN=iasv0190.ww-intern.de,OU=IEV,O=WW Informatik GmbH,L=Ludwigsburg,ST=BW,C=DE

                                > POST /api/token HTTP/1.1

                                > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2

                                > Host: iasv0190.ww-intern.de

                                > Accept: */*

                                > Content-Length: 58

                                > Content-Type: application/x-www-form-urlencoded

                                >

                                < HTTP/1.1 401 Unauthorized

                                HTTP/1.1 401 Unauthorized

                                < Date: Fri, 22 Sep 2017 08:10:11 GMT

                                Date: Fri, 22 Sep 2017 08:10:11 GMT

                                < Server: waitress

                                Server: waitress

                                < Content-Length: 0

                                Content-Length: 0

                                < Content-Type: text/html; charset=UTF-8

                                Content-Type: text/html; charset=UTF-8

                                 

                                <

                                * Connection #0 to host iasv0190.ww-intern.de left intact

                                * Closing connection #0

                                • 13. Re: API: Adding the credentials: User, password and the server IP?
                                  Jan-Philipp Henkel

                                  If I use the Token from this user from th ADDM GUI, Im getting this problem back:

                                   

                                  curl --insecure -k -X POST --header "Authorization: Bearer $TOKEN" https://${ADDM_SERVER}/api/v1.0/vault/credentials -d '{ "ip_range" : "1.2.3.4", "types" : ["windows"], "username" : "domain\\TESTYYYY", "password" : "88888888", "label" : "Label eeeXXXXX", "description" : "eeedescription XXXXX", "enabled" : false }'

                                   

                                   

                                   

                                  curl -S -v --insecure -k -X POST --header "Authorization: Bearer MzpiNWQ0NjAzNTgxOGZlNDJjZThkOGFjMTY5YzNiMzQ4MzpzdmNfYWRkbV9hcGlfc2NyaXB0OjAtMDgxOTg4YTlhNzFkMjg0YTc5NjJjY2U4Yjc1M2ZhZDc0MDYzYzFiYzFjYTdhN2ExMjdiM2RjMTAwMzg3Njc5OQ==" https://iasv0190.ww-intern.de/api/v1.0/vault/credentials -d '{ "ip_range" : "1.2.3.4", "types" : ["windows"], "username" : "domain\\TESTYYYY", "password" : "88888888", "label" : "Label eeeXXXXX", "description" : "eeedescription XXXXX", "enabled" : false }'

                                  * About to connect() to iasv0190.ww-intern.de port 443 (#0)

                                  *   Trying 172.22.156.59... connected

                                  * Connected to iasv0190.ww-intern.de (172.22.156.59) port 443 (#0)

                                  * Initializing NSS with certpath: sql:/etc/pki/nssdb

                                  * warning: ignoring value of ssl.verifyhost

                                  * skipping SSL peer certificate verification

                                  * NSS: client certificate not found (nickname not specified)

                                  * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

                                  * Server certificate:

                                  *       subject: CN=iasv0190.ww-intern.de,OU=IEV,O=WW Informatik GmbH,L=Ludwigsburg,ST=BW,C=DE

                                  *       start date: Aug 22 07:33:58 2016 GMT

                                  *       expire date: Aug 20 07:33:58 2026 GMT

                                  *       common name: iasv0190.ww-intern.de

                                  *       issuer: CN=iasv0190.ww-intern.de,OU=IEV,O=WW Informatik GmbH,L=Ludwigsburg,ST=BW,C=DE

                                  > POST /api/v1.0/vault/credentials HTTP/1.1

                                  > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2

                                  > Host: iasv0190.ww-intern.de

                                  > Accept: */*

                                  > Authorization: Bearer MzpiNWQ0NjAzNTgxOGZlNDJjZThkOGFjMTY5YzNiMzQ4MzpzdmNfYWRkbV9hcGlfc2NyaXB0OjAtMDgxOTg4YTlhNzFkMjg0YTc5NjJjY2U4Yjc1M2ZhZDc0MDYzYzFiYzFjYTdhN2ExMjdiM2RjMTAwMzg3Njc5OQ==

                                  > Content-Length: 194

                                  > Content-Type: application/x-www-form-urlencoded

                                  >

                                  < HTTP/1.1 403 Forbidden

                                  < Date: Fri, 22 Sep 2017 08:23:46 GMT

                                  < Server: waitress

                                  < Content-Length: 82

                                  < Content-Type: application/json

                                  <

                                  {

                                      "code": 403,

                                      "message": "Permission denied",

                                      "transient": false

                                  }

                                  * Connection #0 to host iasv0190.ww-intern.de left intact

                                  * Closing connection #0

                                  • 14. Re: API: Adding the credentials: User, password and the server IP?
                                    Kerryn Wood

                                    The 401 implies the password supplied was incorrect.

                                     

                                    You've only given the user permission to access the api, but not do anything else. Adding the discovery group to the user's permissions and you should be able to add credentials.

                                    1 of 1 people found this helpful
                                    1 2 Previous Next