VMware Cloud Community
jcp0wermac
Enthusiast
Enthusiast

Orchestrator REST API & principal holder-of-key token

Hello,

I was just reading over the REST documentation regarding authentication when using SSO.  What I am unsure about is how to retrieve the "principal holder-of-key token".  If anyone has suggestions around this I would appreciate it.

Thanks,

Joe

Reply
0 Kudos
9 Replies
igorstoyanov
VMware Employee
VMware Employee

First, in the vCO 5.1 U1 release (probably to be released around the end of Q1) there would be an option to abstract the SSO authentication (no need of aquaring externally any kind of SSO token). Just mentioning it since retriving "principal holder-of-key token" (and actually you would need a second token - "delegation token") is a bit more involved from a development point of view.

To answer the question - the first recommendation is to take a look at the vCO Java REST SDK client that is comming as part of the vCO installation. It could be located at https://vco-server-ip:8281/api/docs . You will find a link to download files there.

If this doesn't work for you (developing with other language) then the vCenter Single Sign On Development Guide: http://pubs.vmware.com/vsphere-51/topic/com.vmware.ICbase/PDF/vmware_sso_client_prog_guide_1_0.pdf would be the place to get started.

The vCenter Single Sign-On SDK is referenced in this blog post:

http://blogs.vmware.com/vsphere/2012/09/whats-new-in-vsphere-5-1-api-vsphere-web-client-sdk-vcenter-...

Hope this would be helpful as a starting point.

Visit http://blogs.vmware.com/orchestrator for the latest in Cloud Orchestration.
Reply
0 Kudos
abergman89
Contributor
Contributor

I was about to ask the same thing, but this answered most of it.

Do you know if U1 is available as alfa/beta/test? I don't want to wait until end of Q1 and need a token, perhaps there is some example code that can help retrieve it?

Reply
0 Kudos
igorstoyanov
VMware Employee
VMware Employee

The example code to retrieve SSO token could be find in the links above - either from the java sdk client package with vCO or from the vSphere SSO documentation and sdks.

Visit http://blogs.vmware.com/orchestrator for the latest in Cloud Orchestration.
Reply
0 Kudos
clabman
Contributor
Contributor

Hi,

Thanks for your help, I had the same trouble

I found how to get the hok from sso sdk :

./run.sh com.vmware.sso.client.samples.AcquireHoKTokenByUserCredentialSample https://IP:7444/ims/STSService user pass

It returns the token :

Token details:
AssertionId = _***-***-***-****-***
Token type = Holder-Of-Key
Issued On = 2013-02-26T14:57:18.254Z

But then I don't know how to send it to vCO Rest api ?

curl -ik -H "authorization:_***-***-***-****-***" -X GET https://IP:8281/api/users

?? Is that correct ?

Thanks for your help

Reply
0 Kudos
rgeorgiev
Enthusiast
Enthusiast

Hi,

    You are almost there, the token in the Authorization header should follow this :

Authorization: SIGN token="...",
               nonce="137131200:dj83hs9s",
               bodyhash="k9kbtCIy0CkI3/FEfpS/oIDjk6k=",
               signature_alg="RSA-SHA256",
               signature="..."

Where :
token              REQUIRED. The SAML2 token identifying the caller. The value is calculated as BASE64(GZIP(SAML2)).
nonce              REQUIRED. A unique string generated by the client allowing the server to identify replay attacks and reject such requests. 
                             The strings must be unique across all requests of a single client. The definition is as specified in Section 3.1
                             of draft-ietf-oauth-v2-http-mac with one difference - the first component should be the current time expressed in
                             the number of seconds since January 1, 1970 00:00:00 GMT with no leading zeros.
bodyhash           OPTIONAL. A hash value computed as described in Section 3.2 of draft-ietf-oauth-v2-http-mac over the entire HTTP request 
                             entity body (as defined in Section 7.2 of RFC 2616). Note that the body hash may be missing only if there is no
                             request body, i.e. empty body. Otherwise it is required.
signature_alg      REQUIRED. The signature algorithm used by the client to sign the request. 
                             This proposal defines "RSA-SHA256", "RSA-SHA384" and "RSA-SHA512". More algorithms could be added in future.
signature          REQUIRED. A message signature calculated over the normalized request as 
                             BASE64(signature-algorithm(private key, request)). The request normalization is done 
                             as defined in Section 3.3.1 of draft-ietf-oauth-v2-http-mac with two exception - (a) the body hash is included without 
                             BASE64 applied and (b) no "ext" field is appended. All text based fields in the normalized request
                             are encoded in UTF-8.
Reply
0 Kudos
clabman
Contributor
Contributor

Hi  rgeorgiev,

Thanks for your help !!

Great I gonna try to format my header like that !

But do you know how can I generate, nonce, signature ? There is nothing about that in vmware documentation... Or perhaps I missed it !

Thanks again !!

Reply
0 Kudos
motonoodz
Contributor
Contributor

Hi Clabman,

Did you have any luck working out how to generate the header? Also, what about the delegate HoK?

Thanks

Reply
0 Kudos
letmefun
Contributor
Contributor

Did anyone succeed with generating Authorization header? If yes, please, share your experience.

Reply
0 Kudos
rszymczak
Hot Shot
Hot Shot

Hi igorstoyanov,

do you know if there is a build in workflow / action / api in the vSphere plugin for vRealize Orchestrator that will generate aquire a HOK token by username + password?

Any other chance you see to get a HOK token in vRO?

Reply
0 Kudos