cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

SSL certificate to get connect to APIC-EM with REST API

ramesshh1
Beginner
Beginner

My requirement is that - One of my client is using APIC-EM in their secured network for device discovery and maintaining the device inventory.

Now, I need to connect that client APIC-EM from outside app with REST API. But as it is a secured HTTPS call I need to have a certificate to install at my app side to satisfy the SSL.

Based on that here are few questions I have,

  1. Is Cisco provides the SSL certificate for APIC-EM REST API calls or vendor (in this case my client) need to provide this certificate ?
  2. If I install the certificate in my app would I need to still add the token to each REST call I make ?
  3. Is there anything I need to configure apart from SSL certificate to get connect to APIC-EM ?
  4. As token is accepted as query param to rest api.
    •   How secure is that ?
    •   How often the token will expire ?.
    •    When it expires how to handle those exception?

Please throw some light on these topics. Also if you have any documentation or samples around these please share it with me.

I would highly appreciate your help.

1 ACCEPTED SOLUTION

Accepted Solutions

yawming
Cisco Employee
Cisco Employee

Are you using CA1 release ?

Installing cert on the app side (i.e. Client side) might mean two things:

(A) In case of CA1 (or even EFT2), one would install the APIC-EM’s self-signed *Server SSL cert* into the Trust Store of the client side in order for the client/App to trust APIC-EM. That is, if the client App has been configured to verify the cert that APIC-EM presents to it.

(B) Installing a cert at client/App might also mean setting a *Client SSL cert* in order for the client to present to the APIC-EM server to gain APIC-EM’s trust. That is, like server, client too presents its own cert to the server. We do not support it. Not yet.

1 Is Cisco provides the SSL certificate for APIC-EM REST API calls or vendor (in this case my client) need to provide this certificate ?

[Note] If your question means case A above, the APIC-EM has Grapevine’s self-signed cert as Controller’s server cert. If you mean case B, note that there is no client cert based auth.


2 If I install the certificate in my app would I need to still add the token to each REST call I make ?

[Note]  No client cert based auth at APIC-EM. So Token is the only way to use APIC-EM APIs. That is, client trusts the server by server’s cert. server trusts the client by token (implicitly username/password). Again, no mutual SSL cert auth yet.


3 Is there anything I need to configure apart from SSL certificate to get connect to APIC-EM ?

[Note] No client SSL cert support. (repeating myself just to be unambiguous)


4 As token is accepted as query param to rest api.

Header field X-Auth-Token carries the token and not HTTP payload/query param. The HTTPS is secure and private. Please see RBAC (Role Based Access Control) ref for token related ref.

[Note] (Only in CA 2 release) Default: 5 minutes idle timeout. Absolute timeout 6 hours.

[Note] (Only in CA 2 release) When they expire, the app has to gracefully handle and acquire new token.

View solution in original post

1 REPLY 1

yawming
Cisco Employee
Cisco Employee

Are you using CA1 release ?

Installing cert on the app side (i.e. Client side) might mean two things:

(A) In case of CA1 (or even EFT2), one would install the APIC-EM’s self-signed *Server SSL cert* into the Trust Store of the client side in order for the client/App to trust APIC-EM. That is, if the client App has been configured to verify the cert that APIC-EM presents to it.

(B) Installing a cert at client/App might also mean setting a *Client SSL cert* in order for the client to present to the APIC-EM server to gain APIC-EM’s trust. That is, like server, client too presents its own cert to the server. We do not support it. Not yet.

1 Is Cisco provides the SSL certificate for APIC-EM REST API calls or vendor (in this case my client) need to provide this certificate ?

[Note] If your question means case A above, the APIC-EM has Grapevine’s self-signed cert as Controller’s server cert. If you mean case B, note that there is no client cert based auth.


2 If I install the certificate in my app would I need to still add the token to each REST call I make ?

[Note]  No client cert based auth at APIC-EM. So Token is the only way to use APIC-EM APIs. That is, client trusts the server by server’s cert. server trusts the client by token (implicitly username/password). Again, no mutual SSL cert auth yet.


3 Is there anything I need to configure apart from SSL certificate to get connect to APIC-EM ?

[Note] No client SSL cert support. (repeating myself just to be unambiguous)


4 As token is accepted as query param to rest api.

Header field X-Auth-Token carries the token and not HTTP payload/query param. The HTTPS is secure and private. Please see RBAC (Role Based Access Control) ref for token related ref.

[Note] (Only in CA 2 release) Default: 5 minutes idle timeout. Absolute timeout 6 hours.

[Note] (Only in CA 2 release) When they expire, the app has to gracefully handle and acquire new token.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: