VMware Cloud Community
VincentVro
Contributor
Contributor
‎07-05-2018 01:38 AM

VRealize Orchestrator connection via the restTemplate API with the vSphere token

Hello,

I use the restTemplate API in java to log in and run workflows on the vRO. The connection and the execution are carried out correctly with the login / password:

headers.add ("Authorization", "Basic" + Base64.getEncoder().encodeToString (new String(username + ":" + password).getBytes()));

HttpEntity<String> entity = new HttpEntity<String>(body,headers);

....

ResponseEntity<?> ResponseRestTemplate = restTemplate.exchange(urlBuilder, HttpMethod.POST, entity, String.class);

This service is integrated on vSphere UI as a pluggin.

I want to use the SSO connection token of vSphere to connect to the vRO and not use the login/password.

Is the token/key located in the "mob" of vSphere under content/SessionManager/currentSession/key?

How to integrate this token into the restTemplate API header for the connection to work?

I inform the URL of the vRO and not its IP address in "urlBuilder".

I tried different solutions without success.

Vincent

0 Kudos
5 Replies
iiliev
VMware Employee
VMware Employee
‎07-05-2018 04:45 AM

Hi Vincent,

The key at this location in the MOB is not what you are looking for. You need a proper SAML token. As your solution is a vSphere plug-in, you can use API like VimSessionUtil.getSsoToken() to get to get token for the current user.

However, having this token alone is not enough. What we do in another plug-in is to use AuthCalculator.computeToken() helper API that wioll return a string array representation of the signed token, which you then can set as value to Authorization header when making the REST call.

0 Kudos
VincentVro
Contributor
Contributor
‎07-05-2018 06:23 AM

Thanks Ilian !

I found this code :

     PrivateKey keyPair = ssoService.getHokPrivateKey();  // ???????

    SamlToken samlToken = VimSessionUtil.getSsoToken();

    String currentToken = samlToken.toXml();

    String[] token = null;

    if (keyPair != null && currentToken != null) {

       AuthCalculator calc = AuthCalculatorFactory.instance(SignatureAlgorithm.RSA_SHA256);

       token = calc.computeToken(request, keyPair, currentToken);

    }

    if (token != null) {

       for (int i = 0; i < token.length; i++) {

       headers.add("Authorization", token[i]);

       }

    }

I don't see what is the first line for the value "keyPair" ?

On the computeToken, what is exacty the request ? the vro url or the complet url to the workflow called ?

Vincent

0 Kudos
iiliev
VMware Employee
VMware Employee
‎07-06-2018 06:25 AM

ssoService is an instance of com.vmware.vise.vim.security.sso.SsoService which you can get as an OSGi reference from vSphere Web client platform

request is the object representing HTTP request (instance of com.vmware.vim.sso.http.Request). It comes as part of httpSsoAuth library, together with AuthCalculator and other stuff. Not sure how you create HTTP clients in your plug-in, but if you don't have access to such request object, you won't be able to use helper classes like AuthCalculator.

0 Kudos
VincentVro
Contributor
Contributor
‎07-10-2018 02:03 AM

To create the HTTP client, I do it :

    SSLContextBuilder sslContextBuilder = new SSLContextBuilder();

    sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy());

    SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContextBuilder.build(),SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

    HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).build();

    ClientHttpRequestFactory clientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);

    RestTemplate restTemplate = new RestTemplate(clientHttpRequestFactory);

  HttpEntity<String> entity = new HttpEntity<String>(body, headers);

  String urlBuilder = vcoApiUrl + "/actions/" + actionId + "/executions";

  ResponseEntity<?> responseRestTemplate = restTemplate.exchange(urlBuilder, HttpMethod.POST, entity, String.class);

Is it the good way ?

0 Kudos
iiliev
VMware Employee
VMware Employee
‎07-10-2018 04:19 AM

It looks OK. I'm not sure, however, how to hook and get access to HTTP request object with this code.

In our plug-in, we have custom implementations of AbstractClientHttpRequest and ClientHttpRequestFactory, so it is relatively easy to hook there, get access to internal request, and add token computation code. The drawback of this approach is that it adds more support code, so I'd recommend first to check samples in vSphere Management SDK and Web Client SDK to see if there is something more straightforward.

0 Kudos