cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2012
Views
0
Helpful
1
Replies
Highlighted
Beginner

SSL certificate to get connect to APIC-EM with REST API

My requirement is that - One of my client is using APIC-EM in their secured network for device discovery and maintaining the device inventory.

Now, I need to connect that client APIC-EM from outside app with REST API. But as it is a secured HTTPS call I need to have a certificate to install at my app side to satisfy the SSL.

Based on that here are few questions I have,

  1. Is Cisco provides the SSL certificate for APIC-EM REST API calls or vendor (in this case my client) need to provide this certificate ?
  2. If I install the certificate in my app would I need to still add the token to each REST call I make ?
  3. Is there anything I need to configure apart from SSL certificate to get connect to APIC-EM ?
  4. As token is accepted as query param to rest api.
    •   How secure is that ?
    •   How often the token will expire ?.
    •    When it expires how to handle those exception?

Please throw some light on these topics. Also if you have any documentation or samples around these please share it with me.

I would highly appreciate your help.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Are you using CA1 release ?

Installing cert on the app side (i.e. Client side) might mean two things:

(A) In case of CA1 (or even EFT2), one would install the APIC-EM’s self-signed *Server SSL cert* into the Trust Store of the client side in order for the client/App to trust APIC-EM. That is, if the client App has been configured to verify the cert that APIC-EM presents to it.

(B) Installing a cert at client/App might also mean setting a *Client SSL cert* in order for the client to present to the APIC-EM server to gain APIC-EM’s trust. That is, like server, client too presents its own cert to the server. We do not support it. Not yet.

1 Is Cisco provides the SSL certificate for APIC-EM REST API calls or vendor (in this case my client) need to provide this certificate ?

[Note] If your question means case A above, the APIC-EM has Grapevine’s self-signed cert as Controller’s server cert. If you mean case B, note that there is no client cert based auth.


2 If I install the certificate in my app would I need to still add the token to each REST call I make ?

[Note]  No client cert based auth at APIC-EM. So Token is the only way to use APIC-EM APIs. That is, client trusts the server by server’s cert. server trusts the client by token (implicitly username/password). Again, no mutual SSL cert auth yet.


3 Is there anything I need to configure apart from SSL certificate to get connect to APIC-EM ?

[Note] No client SSL cert support. (repeating myself just to be unambiguous)


4 As token is accepted as query param to rest api.

Header field X-Auth-Token carries the token and not HTTP payload/query param. The HTTPS is secure and private. Please see RBAC (Role Based Access Control) ref for token related ref.

[Note] (Only in CA 2 release) Default: 5 minutes idle timeout. Absolute timeout 6 hours.

[Note] (Only in CA 2 release) When they expire, the app has to gracefully handle and acquire new token.

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Are you using CA1 release ?

Installing cert on the app side (i.e. Client side) might mean two things:

(A) In case of CA1 (or even EFT2), one would install the APIC-EM’s self-signed *Server SSL cert* into the Trust Store of the client side in order for the client/App to trust APIC-EM. That is, if the client App has been configured to verify the cert that APIC-EM presents to it.

(B) Installing a cert at client/App might also mean setting a *Client SSL cert* in order for the client to present to the APIC-EM server to gain APIC-EM’s trust. That is, like server, client too presents its own cert to the server. We do not support it. Not yet.

1 Is Cisco provides the SSL certificate for APIC-EM REST API calls or vendor (in this case my client) need to provide this certificate ?

[Note] If your question means case A above, the APIC-EM has Grapevine’s self-signed cert as Controller’s server cert. If you mean case B, note that there is no client cert based auth.


2 If I install the certificate in my app would I need to still add the token to each REST call I make ?

[Note]  No client cert based auth at APIC-EM. So Token is the only way to use APIC-EM APIs. That is, client trusts the server by server’s cert. server trusts the client by token (implicitly username/password). Again, no mutual SSL cert auth yet.


3 Is there anything I need to configure apart from SSL certificate to get connect to APIC-EM ?

[Note] No client SSL cert support. (repeating myself just to be unambiguous)


4 As token is accepted as query param to rest api.

Header field X-Auth-Token carries the token and not HTTP payload/query param. The HTTPS is secure and private. Please see RBAC (Role Based Access Control) ref for token related ref.

[Note] (Only in CA 2 release) Default: 5 minutes idle timeout. Absolute timeout 6 hours.

[Note] (Only in CA 2 release) When they expire, the app has to gracefully handle and acquire new token.

View solution in original post

This widget could not be displayed.