How to consume the vRO 7.x API with Oauth2.0 Authentication

Most of us know that vRO has a REST API and that every request to this Orchestrator REST API must be authorized by an authenticated user.
Depending on whether you configure Orchestrator with LDAP,vCenter Single Sign-On or Oauth2.0, the authentication scheme for the Orchestrator REST API is different.

The most commonly way to consume the Orchestrator REST API, is based on LDAP Authentication. The downside of this approach is, that you must apply the Basic HTTP authentication scheme on the vRO virtual appliance or on the vRA virtual appliance when using the embedded vRO instance.

To apply the Basic HTTP authentication scheme, you need to add the following property to vmo.properties configuration file:

com.vmware.o11n.sso.basic-authentication.enabled = true

The vRO API documentation can be found on:

HOWEVER, if Orchestrator is configured with vIDM you can use an oauth bearer access token to access system objects in Orchestrator through the REST API. This also removes the requirement to apply the Basic HTTP authentication scheme. vIDM Authentication is THE recommended authentication mechanism when using vRO 7.x together with vRA 7.x !

This blogpost reveals how to consume the vRO 7.x REST API with Oauth2.0 Authentication!

  1. First you need to lookup the client id. You can do this by logging into the vRA virtual appliance with your favorite SSH client.  The <CLIENT_ID> can be found in /etc/vcac/solution-users.properties. For this request to work you will need the cafe_cli client. The following script should print it in the console. (grep -i cafe_cli= /etc/vcac/solution-users.properties | sed -e ‘s/cafe_cli=//’)
  2. Secondly write down the following prerequisites <vRA VA>, <TENANT>, <USERNAME> and <PASSWORD>. Please note that the <USERNAME> must be entered the same way it is entered on the login page. The <DOMAIN> is the fully qualified name of the domain of the user. You can find it by searching for the user in ‘Administration -> Users & Groups -> Directory Users and Groups’.
  3. Now you have gathered all the prerequisites, you can request the bearer token with the following REST API call.

  4. Finally we can use our bearer token to consume the vRO REST API ! See below for an example when using the external vRO virtual appliance.

  5. Have fun with the vRO REST API 😉

Leave a Reply

Your email address will not be published. Required fields are marked *