This section explains how the web service requests are authenticated. The implementation of the authentication mechanism varies according to your Infrastructure Management setup.
A web service request is authenticated using a user name and password. You have the option to use a tenant name with the user name and password for some web service requests. The user credentials are passed through the HTTP header. Based on your Infrastructure Management setup, the user credentials are authenticated against the information in the Infrastructure Management Database, the LDAP server, or BMC Atrium Single Sign-On (BMC Atrium SSO).
The authentication mechanism uses the following formats to encode the user credentials:
In the URL-encoded format, a successful authentication generates an authentication token. You can use this authentication token in your subsequent web service requests. The token has a time-limited validity. You can configure the validity time of the authentication token by updating the value of the loginExpiryInterval_hrs
property set in the bppmws.properties file. In a multiple server environment, you must set this property in all the servers. The file is located in the pw\pronto\conf directory. By default, the value of the loginExpiryInterval_hrs
property is 24.
The login API uses the POST method to authenticate user credentials. After successful authentication, the login API generates an authentication token.
The generic syntax of the URL to authenticate user credentials is as follows:
http|https://<serverHost>:<port>/bppmws/api/authenticate/login
Entry | Description |
---|---|
http|https | Type of protocol to send the request. Infrastructure Management support both HTTP and HTTPS protocols. |
serverHost | Host name of the BMC TrueSight Infrastructure Management Server |
port | Port number through which communication is established. The default port number is 80 if you use the HTTP protocol and 443 if you use the HTTPS protocol. |
You must provide the following parameters in the URL-encoded format.
Parameters | Description |
---|---|
username | User name that you want to authenticate |
password | Password for the corresponding user name |
tenantName | Name of the tenant for which you want to fetch data. This parameter is optional and is applicable only for stats, configdata, and metadata APIs. |
The sample response is as follows:
{ "response": { "status": "OK", "authToken": "TC9r9c/izIOdaQzztOjlqDE8ozc=", "authPassed": true, "expires": "2011-07-06T18:08:54" }, "statusCode": "200", "statusMsg": "OK", "responseTimeStamp": "2011-07-05T18:08:54" }
The authentication token that is generated is TC9r9c/izIOdaQzztOjlqDE8ozc=
. You can also find the expiration date and time of the authentication token in the JSON response.
Note
The REST client internally makes an authentication login API call each time it is used, passing the username/password specified in the command line. Therefore, do not use the REST client to directly call the login API.
To authenticate from a POST request, send username=admin&password=admin
in the body and content type as application/x-www-form-urlencoded
of the POST request to the authentication API URL.
You must provide the authentication token in the header of your subsequent web service requests by using the authorization parameter. The use of the authentication token in the header of a web service request is as follows:
authorization authtoken TC9r9c/izIOdaQzztOjlqDE8ozc=
In this example, authtoken TC9r9c/izIOdaQzztOjlqDE8ozc=
is the value of the authorization parameter.
You can manually end the validity of an authentication token by using logout API that uses the POST method.
The generic syntax of the logout API is as follows:
http|https://<serverHost>:<port>/bppmws/api/authenticate/logout
You must provide the following parameters in the URL-encoded format:
Parameters | Description |
---|---|
username | User name that you want to authenticate |
password | Password for the corresponding user name |
tenantName | Name of the tenant for which you want to fetch data. This parameter is optional. |
The sample response is as follows:
{ "response": { "status": "OK", "authPassed": true }, "statusCode": "200", "statusMsg": "OK", "responseTimeStamp": "2011-12-07T14:05:19" }
You cannot use the authentication token after ending its validity. You must create a new authentication token by using the login API.
In this format, a concatenated string of the user name and password separated by a colon (:) is created. This string is encoded in the Base64 format. A web service client uses this encoded string as the user credentials in the HTTP header. Every web service request must have the Base64-encoded format of the user credentials in the HTTP header. If you decide to use this format, you do not have to run the login API.
For example, if the user name is admin
and password is admin
, the concatenated string is admin:admin
. The Base64 encoded string of admin:admin
is YWRtaW46YWRtaW4=
. You must use this encoded string as the user credentials in the HTTP header of every web service request. The use of the Base64 encoded string in the header of a web service request is as follows:
authorization basic YWRtaW46YWRtaW4=
Note
BMC recommends that you use the Base64 format only when you have SSL configured and if you do not use web service requests frequently.
1 Comment
Charles Kelley