Skip to Content

API infrastructure

Recent versions of BMC Database Automation have been enhanced to provide more extensible authentication. Previous models used an SSL client certificate to authenticate the caller as a legitimate API client; however, the actual access control layer was bypassed (under the presumption that the caller is a portal solution providing its own access control system).

The API infrastructure now supports three modes of authentication (which can be configured by adding an auth_mode= directive in the global mtd.conf file and by restarting the mtd with the command service mtd restart):

  • Uncontrolled access (legacy mode): The caller is permitted to access any resource in BMC Database Automation, bypassing all access control. This model is suitable for integration with portals where the calling product takes responsibility for access control (thereby eliminating the need to synchronize authorization related information between the two products). If there is no auth_mode directive in the global mtd.conf file, legacy mode is the default. You can explicitly enable this mode by adding auth_mode=legacy to the mtd.conf file.
  • User authorization: The caller provides the intended username for which the operation is expected to perform. BMC Database Automation performs access control for the given username, ensuring that it can only access or operate on the resources that the user is permitted access to. However, it operates under the assumption that the calling user has been authenticated by the caller. This model is suitable for portals where authentication is performed by the caller and only the username is available to be passed to BMC Database Automation (for example, SSO environments that use smartcard authentication). This mode may be enabled by adding auth_mode=authorization to the global mtd.conf file.

  • User authentication/authorization: This model is similar to the User authorization model, except that the caller is expected to provide both the username and the password of the authenticating user. BMC Database Automation validates the credentials provided against the local credential store or LDAP (if configured), and only permits the API call to succeed if both the username and password are valid. This mode may be enabled by adding auth_mode=authentication to the global mtd.conf file.

    Warning

    Note

    This model is required for using the REST API.

In all three of the previously described methods, an SSL client certificate is required to be installed on the client connecting to the BMC Database Automation manager. The product ships with a certificate by default which can be used for testing, which you should replace with your own certificate before the solution enters production. In the case where credentials are to be provided by the caller, this must be done by having the caller set environment variables for “GA_USERNAME” and “GA_PASSWORD” prior to calling the command line tool. This addresses possible security concerns about providing the values on the command line (where they are potentially visible to other users in multi-user environments).

Where to go next

Enable the API on your Manager

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Database Automation 20.19