IBM Support

Acquiring Access Tokens for APM V8 API calls - An example

Technical Blog Post


Abstract

Acquiring Access Tokens for APM V8 API calls - An example

Body

APM RESTful APIs

IBM Cloud Application Performance Management (APM V8) provides RESTful APIs for accessing Role Based Access Control (RBAC), Resource Group and Threshold Management services. See documentation links in the 'References' section in this post.

Before calling the APM service APIs, an access token is obtained from the OIDC server on the Cloud APM server. This access token is then used to authenticate to the API calls. An example of commands to obtain the access token is included below.

Example: Obtaining Access Token using OIDC protocol

Below is an example of the steps to acquire an access token. The 'apmhost' can be either the ip address or hostname of the APM server.

1. View clientSecrets.xml file:

/opt/ibm/wlp/usr/shared/config/clientSecrets.xml

<server>
<variable name="client.id.apmui" value="rpapmui" />
<variable name="client.secret.apmui" value="{xor}CxsROBNtZgoMGDRoPW9qBxEaEi4NbzsaBxcFMhEy" />
</server>

2. Use XOR decoder, such as: http://strelitzia.net/wasXORdecoder/wasXORdecoder.html
Decode the client.secret.apmui string (exclude the enclosing quotes): "{xor}CxsROBNtZgoMGDRoPW9qBxEaEi4NbzsaBxcFMhEy".

Obtained decoded string: TDNgL29USGk7b05XNEMqR0dEXHZmNm

3. Get access token:
Note that the decoded string from step 2 is used as client_secret parm value in the curl command below.


curl --tlsv1.2 -v -k -d "grant_type=password&client_id=rpapmui&client_secret=TDNgL29USGk7b05XNEMqR0dEXHZmNm&umin&password=apmpass&scope=openid" https://apmhost:8099/oidc/endpoint/OP/token
* About to connect() to apmhost port 8099 (#0)
* Trying apmhost... connected
* Connected to apmhost(apmhost) port 8099 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=localhost,O=IBM,OU=oidc,C=US
* start date: Jul 14 23:29:14 2016 GMT
* expire date: Jul 14 23:29:14 2018 GMT
* common name: localhost
* issuer: CN=localhost,O=IBM,OU=oidc,C=US
> POST /oidc/endpoint/OP/token HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: apmhost:8099
> Accept: */*
> Content-Length: 130
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< X-Powered-By: Servlet/3.0
< Cache-Control: no-store
< Pragma: no-cache
< Content-Type: application/json;charset=UTF-8
< Content-Language: en-US
< Transfer-Encoding: chunked
< Date: Wed, 18 Oct 2017 21:00:14 GMT
<
* Connection #0 to host apmhost left intact
* Closing connection #0
{"access_token":"De7X5r6ygFGugvWLL17VoQ6k0QiMd5JvSECGUk3z","token_type":"Bearer","expires_in":1800,"scope":"openid","refresh_token":"chP9YZmieKkMKgJlj43vnIBIf8Zi2UYXcbOh51kk4ZyUtYhdQi"}

4. Access token received in step 3: De7X5r6ygFGugvWLL17VoQ6k0QiMd5JvSECGUk3z

5. Use access token in curl command.
Following curl command calls RBAC API (--url https://apmhost:9443/1.0/authzn/users) to get list of users. Access token is provided through Authorization: Bearer parm.

# curl --tlsv1.2 -v -k -H "Authorization: Bearer De7X5r6ygFGugvWLL17VoQ6k0QiMd5JvSECGUk3z" --request GET --url https://apmhost:9443/1.0/authzn/users --header 'accept: application/json' --header 'content-type: application/json' --header 'x-ibm-service-location: na'
* About to connect() to apmhost port 9443 (#0)
* Trying apmhost... connected
* Connected to apmhost (apmhost) port 9443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=liberty,O=IBM,C=US
* start date: Apr 21 18:09:20 2016 GMT
* expire date: Apr 21 18:09:20 2019 GMT
* common name: liberty
* issuer: CN=liberty,O=IBM,C=US
> GET /1.0/authzn/users HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: apmhost:9443
> Authorization: Bearer De7X5r6ygFGugvWLL17VoQ6k0QiMd5JvSECGUk3z
> accept: application/json
> content-type: application/json
> x-ibm-service-location: na
>
< HTTP/1.1 200 OK
< X-Powered-By: Servlet/3.0
< Content-Type: application/json
< Content-Length: 1953
< Set-Cookie: WAS_p139861935=Ew3SUaiE2SZbW5lmKoz13Fdnb7p28n+N7pk5gw0L7Z/DD3jmyjCpAemqAiybjZEU7fKZXPinWbwW6+CZZDXIOKKKef5ZETXwBFeRB4vVUHvLI4dTVjPkvUDS2B7DIgxQd5djx2rkwgRxyyLbGf1IKV//fApAKHAAXqx3FjCW/r+Q6A4YSfoSB2nuCvfdm6Wyd/j1O0rOWJkuuN1HELLd+xH1XBtjG/N31+TMJulwbOAq6ccurmI3y438Gs6SQoq4HN0u2ui39NB3nrIYpYRi5O6tbA7ABb4/4VzZ88hoqTX9AzwxPl3yZwAUavWxZ1/4; Path=/; Secure; HttpOnly
< Date: Wed, 18 Oct 2017 21:09:14 GMT
< Expires: Thu, 01 Dec 1994 16:00:00 GMT
< Cache-Control: no-cache="set-cookie, set-cookie2"
<
[{"id":"user:customRealm\/apmadmin","label":"apmadmin","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Fapmadmin","type":"user"},{"id":"user:customRealm\/kirk","label":"kirk","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Fkirk","type":"user"},{"id":"user:customRealm\/susan","label":"susan","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Fsusan","type":"user"},{"id":"user:customRealm\/derek","label":"derek","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Fderek","type":"user"},{"id":"user:customRealm\/ray","label":"ray","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Fray","type":"user"},{"id":"user:customRealm\/tracy","label":"tracy","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Ftracy","type":"user"},{"id":"user:customRealm\/gary","label":"gary","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm*
Connection #0 to host apmhost left intact
* Closing connection #0
%252Fgary","type":"user"},{"id":"user:customRealm\/harriet","label":"harriet","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Fharriet","type":"user"},{"id":"user:customRealm\/john","label":"john","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Fjohn","type":"user"},{"id":"user:customRealm\/noel","label":"noel","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Fnoel","type":"user"},{"id":"user:customRealm\/jeanette","label":"jeanette","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Fjeanette","type":"user"},{"id":"user:customRealm\/bruce","label":"bruce","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Fbruce","type":"user"},{"id":"user:customRealm\/glenn","label":"glenn","href":"https:\/\/apmhost:9443\/1.0\/authzn\/users\/user%3AcustomRealm%252Fglenn","type":"user"}]

References

IBM Cloud Application Performance Management

Accessing and using the Role Based Access Control Service API

Using the Resource Group Management Service API (Not available in V8.1.3)

Using the Threshold Management Service API

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

UID

ibm11082865

Page Feedback