Logging in to a management server

You log in to a management server from the command line by using the apic login command. The parameters that you supply determine the identity provider that is used to authenticated the supplied user ID, and the scope of the tasks that can be performed after successful log in.

Note: You cannot use the CLI to log in to a management server that uses an OIDC user registry for authentication, because browser access is required for OIDC log in.
To log in to the management server from the command line, enter the following command:
apic login --server mgmt_endpoint_url --username user_id --password password --realm realm
The parameters for the apic login command are as follows:
mgmt_endpoint_url
Either the platform API endpoint URL, or the consumer API endpoint URL. Use the platform API endpoint URL if you are logging in as a member of a cloud administration organization or provider organization, and the consumer API endpoint URL if you are logging in as a member of a consumer organization. These endpoint URLs are configured during the installation of API Connect, as described in Installing the Management subsystem into a Kubernetes environment and Deploying the Management subsystem in a VMware environment. If you have access to the Cloud Manager user interface, you can view the configured endpoint URLs as described in Viewing platform and UI endpoints, ignoring any segments at the end of the displayed URLs. If you are not sure of the endpoint URL, ask your administrator.
user_id
The user ID you want to log in with. Depending on the tasks that you want to perform, this user ID might be any of the following:
  • A user ID that is a member of the cloud administration organization. This is an ID that you could also use to log in to the Cloud Manager user interface.
  • A user ID that is a member of a provider organization. This is an ID that you could also use to log in to the API Manager user interface.
  • A user ID that is a member of a consumer organization. This is an ID that you could also use to log in to the Developer Portal.
password
The password associated with the supplied user ID.
realm
The realm parameter specifies the identity provider that is used to authenticated the supplied user ID, and the scope of the tasks that can be performed after successful log in.
The format of the realm depends on the type of user, as follows:
  • Member of the cloud administration organization:
    admin/identity_provider

    To determine the identity provider, see How to determine the identity provider.

  • Member of a provider organization:
    provider/identity_provider

    To determine the identity provider, see How to determine the identity provider.

  • Member of a consumer organization:
    consumer:provider_org:catalog/identity_provider
    where provider_org is the name of your provider organization, and catalog is the name of the Catalog in that provider organization.

    To determine the identity provider, see How to determine the identity provider.

    Important: If you log in to the CLI as a member of a consumer organization, you must supply the --mode=consumer parameter to the apic login command, and to all consumer commands. To avoid having to type the parameter every time, you can set the mode configuration variable, by entering the following command:
    apic config:set mode=consumer
You can also use the command interactively; enter apic login and you will be prompted for the values. For example:
apic login
Enter your API Connect credentials
Server? platform-api.myserver.com
Realm? provider/default-idp-2
Username? myuser
Password? 
Logged into myserver.com successfully

How to determine the identity provider

If you want to log in as a member of the cloud administration organization, or as a member of a provider organization, you can help determine which identity provider to use in the realm parameter by entering the following command to see a list of all available identity providers (you do not need to be logged in to use this command):
apic identity-providers:list --scope scope --server mgmt_endpoint_url --fields name,title
where scope has the value admin or provider depending on whether you want to log in as a member of the cloud administration organization, or as a member of a provider organization. The output lists the names and titles of all identity providers, for example:
apic identity-providers:list --scope admin --server myserver.com --fields name,title 
total_results: 2
results:
  - name: default-idp-1
    title: Cloud Manager User Registry
  - name: corporate-ldap
    title: Corporate LDAP user registry

The title value should enable you to determine which identity provider to use; the corresponding name value is what you specify in the realm parameter.

For any identity providers that were created by your administrator after API Connect was installed, the names will have been determined at creation time.

By default, API Connect creates a local user registry for user login for every context. The identity providers associated with these default registries are as follows:
Registry Identity provider name
Cloud Manager Local User Registry (for login as a member of the cloud administration organization) default-idp-1
API Manager Local User Registry (for login as a member of a provider organization) default-idp-2
Sandbox Catalog User Registry (for login as a member of a consumer organization) sandbox-idp

If you want to log in as a member of a consumer organization, and you are not using the default Sandbox Catalog User Registry, ask your administrator for the name of your identity provider.

Logging out

To log out of a management server, use the following command:
apic logout --server mgmt_endpoint_url