Logging in to a management server

You log in to a management server from the command line by using the apic login command. The parameters that you supply determine the identity provider that is used to authenticated the supplied user ID, and the scope of the tasks that can be performed after successful log in.

Attention: If you want to log in with an OIDC user registry, see Logging in to a management server with an OIDC registry.
  1. Clear the credentials from any previous login by running the following command:
    apic client-creds:clear

    Clearing the credentials ensures that you do not inadvertently log in with the wrong set of credentials (for example, from a different product release or environment).

  2. Set the credentials that you want to use now by running the following command:
    apic client-creds:set path_to_credentials/credential.json
    where path_to_credentials is the location of the credential.json file that you want to use. For example:
    apic client-creds:set /Users/local_user/credential.json
  3. Log in by running the following command:
    apic login --server mgmt_endpoint_url --username user_id --password password --realm realm
The parameters for the apic login command are as follows:
mgmt_endpoint_url
The URL depends on the type of organization that you are logging in with:
  • Cloud admin organization or Provider organization: Use one of the following URLs:
    • platform API endpoint URL
    • management API manager URL
  • Consumer organization: Use the consumer API endpoint URL
These endpoint URLs are configured during the installation of API Connect, as described in Installing the Management subsystem into a Kubernetes environment and Deploying the Management subsystem in a VMware environment. If you have access to the Cloud Manager user interface, you can view the configured endpoint URLs as described in Viewing platform and UI endpoints, ignoring any segments at the end of the displayed URLs. If you are not sure of the endpoint URL, ask your administrator.
user_id
The user ID you want to log in with. Depending on the tasks that you want to perform, this user ID might be any of the following:
  • A user ID that is a member of the cloud administration organization. This is an ID that you could also use to log in to the Cloud Manager user interface.
  • A user ID that is a member of a provider organization. This is an ID that you could also use to log in to the API Manager user interface.
  • A user ID that is a member of a consumer organization. This is an ID that you could also use to log in to the Developer Portal.
password
The password associated with the supplied user ID.
realm
The realm parameter specifies the identity provider that is used to authenticated the supplied user ID, and the scope of the tasks that can be performed after successful log in.
The format of the realm depends on the type of user, as follows:
  • Member of the cloud administration organization:
    admin/identity_provider

    To determine the identity provider, see How to determine the identity provider.

  • Member of a provider organization:
    provider/identity_provider

    To determine the identity provider, see How to determine the identity provider.

  • Member of a consumer organization:
    consumer:provider_org:catalog/identity_provider
    where provider_org is the name of your provider organization, and catalog is the name of the Catalog in that provider organization.

    To determine the identity provider, see How to determine the identity provider.

    Important:
    • If you have installed toolkit credentials, as detailed in Installing the toolkit, then at any one time, you can use only one set of toolkit credentials for login to a management server from the toolkit CLI. If you want to log in to a different management server you must install the toolkit credentials from that management server.
      To revert to the default pre-supplied toolkit credentials for all login operations from the toolkit CLI, use the following command:
      apic client-creds:clear
    • If you log in to the CLI as a member of a consumer organization, you must supply the --mode=consumer parameter to the apic login command, and to all consumer commands. To avoid having to type the parameter every time, you can set the mode configuration variable, by entering the following command:
      apic config:set mode=consumer
You can also use the command interactively; enter apic login and you will be prompted for the values. For example:
apic login
Enter your API Connect credentials
Server? platform-api.myserver.com
Realm? provider/default-idp-2
Username? myuser
Password? 
Logged into myserver.com successfully
Note: If you see a message stating that credentials cannot be found, download new credentials as explained in Downloading the toolkit.

How to determine the identity provider

If you want to log in as a member of the cloud administration organization, or as a member of a provider organization, you can help determine which identity provider to use in the --realm parameter by entering the following command to see a list of all available identity providers (you do not need to be logged in to use this command):
apic identity-providers:list --scope scope --server mgmt_endpoint_url --fields title,realm
where scope has the value admin or provider depending on whether you want to log in as a member of the cloud administration organization, or as a member of a provider organization. The output lists the names and titles of all identity providers, for example:
apic identity-providers:list --scope admin --server myserver.com --fields title,realm
total_results: 2
results:
  - title: Cloud Manager User Registry
    realm: admin/default-idp-1
  - title: Corporate LDAP user registry
    realm: admin/corporate-ldap
The title value should enable you to determine which identity provider to use; you can then copy the corresponding --realm parameter directly from the displayed realm value. For any identity providers that were created by your administrator after API Connect was installed, the names will have been determined at creation time. The default Cloud Manager Local User Registry for login as a member of the cloud administration organization is default-idp-1, and the default API Manager Local User Registry for login as a member of a provider organization is default-idp-2.
By default, API Connect creates a local user registry for user login for every context. The identity providers associated with these default registries are as follows:
Registry Identity provider name
Cloud Manager Local User Registry (for login as a member of the cloud administration organization) default-idp-1
API Manager Local User Registry (for login as a member of a provider organization) default-idp-2
Sandbox Catalog User Registry (for login as a member of a consumer organization) sandbox-idp

If you want to log in as a member of a consumer organization, and you are not using the default Sandbox Catalog User Registry, ask your administrator for the name of your identity provider.

Logging out

To log out of a management server, use the following command:
apic logout --server mgmt_endpoint_url