Most of us know that vRO has a REST API and that every request to this Orchestrator REST API must be authorized by an authenticated user.
Depending on whether you configure Orchestrator with LDAP,vCenter Single Sign-On or Oauth2.0, the authentication scheme for the Orchestrator REST API is different.
The most commonly way to consume the Orchestrator REST API, is based on LDAP Authentication. The downside of this approach is, that you must apply the Basic HTTP authentication scheme on the vRO virtual appliance or on the vRA virtual appliance when using the embedded vRO instance.
To apply the Basic HTTP authentication scheme, you need to add the following property to vmo.properties configuration file:
com.vmware.o11n.sso.basic-authentication.enabled = true
The vRO API documentation can be found on:
|
1 2 3 4 5 |
https://<fqdn-vro-virtual-appliance>:8281/vco/api/docs/index.html or https://<fqdn-vra-virtual-appliance>/vco/api/docs/index.html |
HOWEVER, if Orchestrator is configured with vIDM you can use an oauth bearer access token to access system objects in Orchestrator through the REST API. This also removes the requirement to apply the Basic HTTP authentication scheme. vIDM Authentication is THE recommended authentication mechanism when using vRO 7.x together with vRA 7.x !
This blogpost reveals how to consume the vRO 7.x REST API with Oauth2.0 Authentication!
- First you need to lookup the client id. You can do this by logging into the vRA virtual appliance with your favorite SSH client. The <CLIENT_ID> can be found in /etc/vcac/solution-users.properties. For this request to work you will need the cafe_cli client. The following script should print it in the console. (grep -i cafe_cli= /etc/vcac/solution-users.properties | sed -e ‘s/cafe_cli=//’)
- Secondly write down the following prerequisites <vRA VA>, <TENANT>, <USERNAME> and <PASSWORD>. Please note that the <USERNAME> must be entered the same way it is entered on the login page. The <DOMAIN> is the fully qualified name of the domain of the user. You can find it by searching for the user in ‘Administration -> Users & Groups -> Directory Users and Groups’.
12345678In my example I used the following values:<vRA VA> = pb0vrava03.flexlab.local<TENANT> = vsphere.local<CLIENT_ID> = cafe_cli-7q28CXzOJA<USERNAME> = adm_dennis<PASSWORD> = Password!<DOMAIN> = flexlab.local - Now you have gathered all the prerequisites, you can request the bearer token with the following REST API call.
12345678910111213141516Url:POST --> https://pb0vrava03.flexlab.local/SAAS/t/vsphere.local/auth/oauthtoken?grant_type=passwordHeader:Content-Type --> application/x-www-form-urlencodedRequest Body:username=adm_dennis&password=Password!&client_id=cafe_cli-7q28CXzOJA&domain=flexlab.localResponse Body:{"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhMTgxNWVjOC1kNTEwLTQyMTktYWY5NS1iYWQ0NjBlNjQ5NzEiLCJwcm4iOiJhZG1fZGVubmlzQFZTUEhFUkUuTE9DQUwiLCJkb21haW4iOiJmbGV4bGFiLmxvY2FsIiwidXNlcl9pZCI6IjE5MiIsImF1dGhfdGltZSI6MTQ4NTE3OTM1OCwiaXNzIjoiaHR0cHM6Ly92cmE3cG9ydGFsLmZsZXhsYWIubG9jYWwvU0FBUy90L3ZzcGhlcmUubG9jYWwvYXV0aCIsImF1ZCI6Imh0dHBzOi8vdnJhN3BvcnRhbC5mbGV4bGFiLmxvY2FsL1NBQVMvdC92c3BoZXJlLmxvY2FsL2F1dGgvb2F1dGh0b2tlbiIsImN0eCI6Ilt7XCJtdGRcIjpcInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0XCIsXCJpYXRcIjoxNDg1MTc5MzU4LFwiaWRcIjo0fV0iLCJzY3AiOiJ1c2VyIiwiaWRwIjoiMCIsImVtbCI6ImRkZXJrc0B2bXdhcmUuY29tIiwiY2lkIjoiY2FmZV9jbGktN3EyOENYek9KQSIsImRpZCI6IiIsIndpZCI6IiIsImV4cCI6MTQ4NTIwODE1OCwiaWF0IjoxNDg1MTc5MzU4LCJzdWIiOiJkZGY2YWE3NC05NjM2LTQ2NWMtOTliMS01YmEwM2MzY2Y1YzkiLCJwcm5fdHlwZSI6IlVTRVIifQ.PS0AaoDJfUta8mV437zssDeVkKn-9TuVCPH7fBi4gjknu4r2ba0K04vkELbT2Ivpl1uy4snZkvmQVNTnWlsh6ZpIvvRkjo1bqY1uG1qAcgR2Yd6Pw-U09ppmQrKqBhPS1jUyh_3gJsm21jq4c_zeKrknoLxUx_HiPOzAfcjH1ro","token_type": "Bearer","expires_in": 28799,"scope": "user"}
- Finally we can use our bearer token to consume the vRO REST API ! See below for an example when using the external vRO virtual appliance.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130Url:GET --> https://pb0vravro701.flexlab.local:8281/vco/api/workflowsHeader:Accept --> application/jsonContent-Type --> application/jsonAuthorization --> Bearer LCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhMTgxNWVjOC1kNTEwLTQyMTktYWY5NS1iYWQ0NjBlNjQ5NzEiLCJwcm4iOiJhZG1fZGVubmlzQFZTUEhFUkUuTE9DQUwiLCJkb21haW4iOiJmbGV4bGFiLmxvY2FsIiwidXNlcl9pZCI6IjE5MiIsImF1dGhfdGltZSI6MTQ4NTE3OTM1OCwiaXNzIjoiaHR0cHM6Ly92cmE3cG9ydGFsLmZsZXhsYWIubG9jYWwvU0FBUy90L3ZzcGhlcmUubG9jYWwvYXV0aCIsImF1ZCI6Imh0dHBzOi8vdnJhN3BvcnRhbC5mbGV4bGFiLmxvY2FsL1NBQVMvdC92c3BoZXJlLmxvY2FsL2F1dGgvb2F1dGh0b2tlbiIsImN0eCI6Ilt7XCJtdGRcIjpcInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0XCIsXCJpYXRcIjoxNDg1MTc5MzU4LFwiaWRcIjo0fV0iLCJzY3AiOiJ1c2VyIiwiaWRwIjoiMCIsImVtbCI6ImRkZXJrc0B2bXdhcmUuY29tIiwiY2lkIjoiY2FmZV9jbGktN3EyOENYek9KQSIsImRpZCI6IiIsIndpZCI6IiIsImV4cCI6MTQ4NTIwODE1OCwiaWF0IjoxNDg1MTc5MzU4LCJzdWIiOiJkZGY2YWE3NC05NjM2LTQ2NWMtOTliMS01YmEwM2MzY2Y1YzkiLCJwcm5fdHlwZSI6IlVTRVIifQ.PS0AaoDJfUta8mV437zssDeVkKn-9TuVCPH7fBi4gjknu4r2ba0K04vkELbT2Ivpl1uy4snZkvmQVNTnWlsh6ZpIvvRkjo1bqY1uG1qAcgR2Yd6Pw-U09ppmQrKqBhPS1jUyh_3gJsm21jq4c_zeKrknoLxUx_HiPOzAfcjH1roResponse Body:{"link": [{"attributes": [{"value": "https://pb0vravro701.flexlab.local:8281/vco/api/workflows/DF8080808080808080808080808080808980808001297259131125b940b51f82d/","name": "itemHref"},{"value": "true","name": "canExecute"},{"value": "true","name": "canEdit"},{"value": "Copy an SNMP query","name": "name"},{"value": "Copies an SNMP query from one device to another.","name": "description"},{"value": "DF8080808080808080808080808080808980808001297259131125b940b51f82d","name": "id"},{"value": "https://pb0vravro701.flexlab.local:8281/vco/api/catalog/System/WorkflowCategory/8a81807c52a26a7c0152a26b23d00017/","name": "categoryHref"},{"value": "Workflow","name": "type"},{"value": "0.0.3","name": "version"},{"value": "Query Management","name": "categoryName"},{"value": "false","name": "customIcon"}],"href": "https://pb0vravro701.flexlab.local:8281/vco/api/workflows/DF8080808080808080808080808080808980808001297259131125b940b51f82d/","rel": "down"},{"attributes": [{"value": "https://pb0vravro701.flexlab.local:8281/vco/api/workflows/B98080808080808080808080808080808080808001297259131125b940b51f82d/","name": "itemHref"},{"value": "true","name": "canExecute"},{"value": "true","name": "canEdit"},{"value": "Unregister an SNMP device","name": "name"},{"value": "Unregisters an SNMP device from the plug-in's inventory.","name": "description"},{"value": "B98080808080808080808080808080808080808001297259131125b940b51f82d","name": "id"},{"value": "https://pb0vravro701.flexlab.local:8281/vco/api/catalog/System/WorkflowCategory/8a81807c52a26a7c0152a26b2419001c/","name": "categoryHref"},{"value": "Workflow","name": "type"},{"value": "0.0.2","name": "version"},{"value": "Device Management","name": "categoryName"},{"value": "false","name": "customIcon"}],"href": "https://pb0vravro701.flexlab.local:8281/vco/api/workflows/B98080808080808080808080808080808080808001297259131125b940b51f82d/","rel": "down"},{"attributes": [{"value": "https://pb0vravro701.flexlab.local:8281/vco/api/workflows/E28080808080808080808080808080808F80808001297259131125b940b51f82d/","name": "itemHref"},{"value": "true","name": "canExecute"},{"value": "true","name": "canEdit"},{"value": "Get bulk SNMP values","name": "name"}etc. etc..
- Have fun with the vRO REST API 😉
Excellent article ! That saved me hours of research.
Thanks a lot.
Awesome Thanks!