Managing Authentication with the PubSub+ Cloud REST API
With REST API and API token support for authentication, you can configure the authentication mechanism for event broker services.
This tutorial shows you how to:
Before you Begin
Before you can start this tutorial, you'll require the following:
- An account in PubSub+ Event Broker: Cloud and an event broker service.
- The service ID of the event broker service. The
{serviceId}
is the last value of the specified service's URL. For example, in this URLhttps://console.solace.cloud/services/d4g5cxzcrhk
, the service ID isd4g5cxzcrhk
. The service identifier is required for many of the REST API calls. - Your account must be assigned the Administrator or Cluster Manager Editor role.
- An API token with the following permissions:
- From Mission Control:
- Get My Services with Management Credentials
- From Organization Services:
- Get Services with Management Credentials
- Enable/Disable LDAP Management Access to the Broker
- Enable / Disable Basic and Certificate Authentication
To learn how to create an API token, see Creating an API Token.
- From Mission Control:
-
A REST client of your choice. Postman is a good choice if you want a visual REST API development tool. At this time, there is no Solace Blog available so if you use Postman, simply make each call by typing the REST API call after you've set up the environment in Postman to use your API token. For more information about setting up Postman, see Managing API Tokens.
After you've set up the environment in Postman to use your API token, you can simply make each call by specifying the REST API. To check that API token is set up correctly to use Bearer authorization in Postman, select the Headers tab to validate that it is using Bearer Authorization and set it to use the
apiToken
environment variable that you had set up earlier. For example, you can see that Authorization is set up to use Bearer and theapiToken
in the following illustration:
Configuring Client Certificate Authentication For Event Broker Services
You can enable client certificate authentication or mutual TLS (mTLS) on event broker services using the REST API. Before you enable client certificate authentication, you must add certificates to the event broker service. For more information, see Managing Certificate Authorities with the PubSub+ Cloud REST API.
The minimum permission required in the API Token to use the REST API call is Enable / Disable Basic and Certificate Authentication.
To enable or disable client certificate authentication, you issue a POST call to https://api.solace.cloud/api/v0/services/{serviceId}/requests/updateAuthenticationRequests
.
A successful request returns 202
(Accepted); otherwise the following error codes are returned:
5000
— with a support code of102
if theupdateAuthenticationRequest
was passed an invalid format or missing a parameter in the body of the POST request. The request must include all parameters specified in the payload above.5000
— with a support code of106
if the update authentication permission (Enable / Disable Basic and Certificate Authentication) is not in the API token that was used.
The POST call requires the following parameters in the body:
-
authenticationBasicEnabled
— A boolean value to enable (true
) or disable (false
) basic authentication for the client applications.Do not disable (set to
false
), otherwise your event broker service is accessible by everyone. -
authenticationClientCertEnabled
— A boolean value to enable (true
) or disable (false
) Client Certificate Authentication for client applications. -
authenticationClientCertValidateDateEnabled
— A boolean value to enable (true
) or disable (false
) the requirement to validate the certificate date. -
authenticationOauthEnabled
— A boolean value to enable (true
) or disable (false
) OAuth authentication for client applications. This will enable clients to connect and authenticate applications and IoT devices with OAuth's advanced security features.
The serviceId
is the unique identifier for the service, which you can determine using a call such as Getting the Connection Details for the Event Broker Service Using the REST API
For example, if the identifier for the service identifier of v0q6d1xqg7g
, a POST call to https://api.solace.cloud/api/v0/services/v0q6d1xqg7g/requests/updateAuthenticationRequests
with the payload looks like this:
{ "authenticationBasicEnabled": "true", "authenticationClientCertEnabled": "true", "authenticationClientCertValidateDateEnabled": "false", "authenticationOauthEnabled" "false" }
Upon success, a response is returned:
{ "data": { "id": "0b4tesmsn2b", "creationTimestamp": 1631111411837, "authenticationBasicEnabled": "true", "authenticationClientCertEnabled": "true", "authenticationClientCertValidateDateEnabled": "false", "authenticationOauthEnabled": "false", "type": "updateAuthenticationRequest" } }
Since this operation is asynchronous, you must issue a GET
call to https://api.solace.cloud/api/v0/services/{serviceId}/requests/{requestId}
to check the progress of the operation, where serviceId
is the identifier for the event broker service and requestId
is the value from id
parameter that was returned in the response from the POST call. Continuing from the previous example, if you issue the GET
call to https://api.solace.cloud/api/v0/services/v0q6d1xqg7g/requests/0b4tesmsn2b
, you can see the status is completed
in the adminProgress
progress in the response as follows:
{ "data": { "id": "0b4tesmsn2b", "creationTimestamp": 1631111411837, "adminProgress": "completed", "authenticationBasicEnabled": "true", "authenticationClientCertEnabled": "true", "authenticationClientCertValidateDateEnabled": "false", "authenticationOauthEnabled": "false", "type": "updateAuthenticationRequest" }, "meta": { "currentTime": 1631111490000 } }
Creating an LDAP Profile
For LDAP authentication of users and/or LDAP authorization of clients, LDAP profiles must be configured on the event broker service and be enabled. You can create the following LDAP profiles:
- default profile to authenticate clients
- management profile to authenticate users. To learn more about LDAP for Management Access, refer to Managing Authentication with the PubSub+ Cloud REST API.
To create an LDAP profile for an existing service, send a POST request to https://api.solace.cloud/api/v0/services/{id}/requests/ldapAuthenticationProfileRequests
. A successful response returns 202 (Accepted). The {id}
is the last value in the specified service's URL. For example, in this URL, https://console.solace.cloud//services/d4g5cxzcrhk
, the service ID is d4g5cxzcrhk
.
The following example payload will create an LDAP management profile. For detailed information on the attributes and parameters, refer to Configuring LDAP Client Authentication.
{ "operation":"create", "ldapAuthenticationProfile": { "profileName": "management", "enabled":false, "adminDn":"solly@example.com", "adminPassword":"somesuperotter", "allowUnauthenticatedAuthentication":false, "startTls":true, "ldapServerOne":"ldap:myldapserver:1234", "ldapServerTwo":null, "ldapServerThree":null, "searchBaseDn":"apple23", "searchDeref":"SEARCH", "searchFilter":"(cn=$CLIENT_USERNAME)23", "searchScope":"BASE", "searchFollowContinuationReferences":true, "searchTimeout":3, "groupMembershipSecondarySearchEnabled":false, "groupMembershipSecondarySearchBaseDn":"", "groupMembershipSecondarySearchFilterAttributeFromPrimarySearch":"", "groupMembershipSecondarySearchDeref":"ALWAYS", "groupMembershipSecondarySearchFilter":"", "groupMembershipSecondarySearchScope":"SUBTREE", "groupMembershipSecondarySearchFollowContinuationReferences":false, "groupMembershipSecondarySearchTimeout":2 } }
Here is an example of a successful 202 response:
{ "data" : { "id" : "zl8oa476l", "creationTimestamp" : 0, "operation" : "update", "type" : "ldapAuthenticationProfileRequest" } }
To verify that the LDAP profile was successfully created, send a GET request to https://api.solace.cloud/api/v0/services/{id}/requests/ldapAuthenticationProfileRequests/<ldap-profile-name>
. A successful response returns 200 (OK).
The following is an example response for an LDAP management profile that was successfully created.
{ "data" : { "id" : "management", "profileName" : "management", "enabled" : true, "allowUnauthenticatedAuthentication" : false, "startTls" : true, "adminDn" : "solly@example.com", "adminPassword" : "somesuperotter", "groupMembershipSecondarySearchEnabled" : false, "groupMembershipSecondarySearchBaseDn" : "", "groupMembershipSecondarySearchDeref" : "ALWAYS", "groupMembershipSecondarySearchFilter" : "", "groupMembershipSecondarySearchFilterAttributeFromPrimarySearch" : "", "groupMembershipSecondarySearchFollowContinuationReferences" : false, "groupMembershipSecondarySearchScope" : "SUBTREE", "groupMembershipSecondarySearchFollowContinuationShutdown" : false, "groupMembershipSecondarySearchTimeout" : 2, "ldapServerOne" : "ldap://macafee.ca:1234", "ldapServerTwo" : null, "ldapServerThree" : null, "searchBaseDn" : "apple23", "searchDeref" : "SEARCH", "searchFilter" : "(cn=$CLIENT_USERNAME)23", "searchFollowContinuationReferences" : true, "searchScope" : "BASE", "searchTimeout" : 3, "type" : "ldapAuthenticationProfile" } }
To configure LDAP management access through the PubSub+ Cloud console, refer to Configuring LDAP Client Authentication.
Configuring LDAP for Management Access
Before you begin this tutorial, make sure you've created an LDAP Management Profile.
To set LDAP for management access, you must configure the following:
- configure an LDAP management profile.
- set the LDAP attribute to check for groups. A group attribute name is retrieved from the LDAP server as part of the LDAP search to authenticate users. The
groupAttributeName
indicates that a user belongs to a particular group that exists on the LDAP server. - provide
global-read
and/orvpn-read-write
access to one or more groups. A user may belong to one or more LDAP groups, and each group's access level may differ. You can providereadOnlyGroupNames
and/orreadWriteGroupNames
to member groups.
To configure LDAP for Management Access through the PubSub+ Cloud console, refer to Configuring Authentication to Event Broker Services.
Enable LDAP for Management Access
To enable the LDAP for Management Access for an existing service, send a POST request to https://api.solace.cloud/api/v0/services/{serviceId}/requests/ldapManagementAccessRequest
. A successful response returns 202 ACCEPTED.
The following example payload will enable the LDAP management access, where we set the groupAttributeName
and the readOnlyGroupNames
and readWriteGroupNames
access for specific groups.
{ "operation":"create", "managementProfileName":"<created-management-profile-name>", "groupAttributeName":"<group-membership-attribute-name>", "readOnlyGroupNames":["<group-name-1>","<group-name-2>"], "readWriteGroupNames":["<group-name-1>", "<group-name-3>"] }
Here is an example of a successful 202 Accepted response:
{ "data": { "id": "<serviceRequestId>", "creationTimestamp": 0, "managementProfileName": "<created-management-profile-name>", "operation": "create", "groupAttributeName": "<group-membership-attribute-name>", "readOnlyGroupNames": [ "<group-name-1>", "<group-name-2>" ], "readWriteGroupNames": [ "<group-name-1>", "<group-name-3>" ], "type": "ldapManagementRequest" } }
Update/Disable LDAP for Management Access
To update the LDAP for Management Access for an existing service, send a POST request to https://api.solace.cloud/api/v0/services/{serviceId}/requests/ldapManagementAccessRequest
. A successful response returns 202 ACCEPTED.
The following example payload will update the LDAP management access, where we set "operation: update"
and enableManagementProfileAuthentication: true
. Setting enableManagementProfileAuthentication: false
will disable the LDAP for Management Access.
{ "operation":"update", "managementProfileName":"<created-management-profile-name<", "groupAttributeName":"<group-membership-attribute-name<", "readOnlyGroupNames":["<group-name-1<","<group-name-2<","<group-name-4<"], "readWriteGroupNames":[], "enableManagementProfileAuthentication": true }
Here is an example of a successful 202 Accepted response:
{ "data": { "id": "<serviceRequestId>", "creationTimestamp": 0, "managementProfileName": "<created-management-profile-name>", "operation": "create", "groupAttributeName": "<group-membership-attribute-name>", "readOnlyGroupNames": [ "<group-name-1>", "<group-name-2>", "<group-name-4>" ], "readWriteGroupNames": [], "enableManagementProfileAuthentication": true, "type": "ldapManagementRequest" } }
Remove LDAP for Management Access
To remove the LDAP for Management Access for an existing service, send a POST request to https://api.solace.cloud/api/v0/services/{serviceId}/requests/ldapManagementAccessRequest
. A successful response returns 202 ACCEPTED.
The following example payload will remove the LDAP management access, where we set "operation: delete"
and enableManagementProfileAuthentication: false
.
{ "operation":"delete", "managementProfileName":"<created-management-profile-name<", "groupAttributeName":"<group-membership-attribute-name<", "readOnlyGroupNames":["<group-name-1<","<group-name-2<","<group-name-4<"], "readWriteGroupNames":[], "enableManagementProfileAuthentication": false }
Here is an example of a successful 202 response:
{ "data": { "id": "<serviceRequestId>", "creationTimestamp": 0, "managementProfileName": "<created-management-profile-name>", "operation": "create", "groupAttributeName": "<group-membership-attribute-name>", "readOnlyGroupNames": [ "<group-name-1>", "<group-name-2>", "<group-name-4>" ], "readWriteGroupNames": [], "enableManagementProfileAuthentication": false, "type": "ldapManagementRequest" } }
Get LDAP for Management Access Information
To retrieve the information for LDAP for Management Access, send a GET request to https://api.solace.cloud/api/v0/services/{service-id}/ldapManagementAccess
. A successful response returns 200 OK. If the event broker service was deleted or disabled, the response will be 404 NOT FOUND.
The following is an example response for LDAP management access information that is enabled.
{ "data": { "id": "{vmrId}/{vpn}/ldapManagement", "creationTimestamp": 0, "adminProgress": "completed", "managementProfileName": "<created-management-profile-name>", "operation": "create", "groupAttributeName": "<group-membership-attribute-name>", "readOnlyGroupNames": [ "<group-name-1>", "<group-name-2>" ], "readWriteGroupNames": [ "<group-name-1>", "<group-name-3>" ], "enableManagementProfileAuthentication": true, "type": "ldapManagementRequest" } }
Check Status of LDAP for Management Access Service Request
To verify that the LDAP for Management Access was successfully enabled, updated, or deleted, send a GET request to https://api.solace.cloud/api/v0/services/{serviceId}/requests/{serviceRequestId}
. A successful response returns 200 OK. If the event broker service was deleted or disabled, the response will be 404 NOT FOUND.
The following is an example response for LDAP management access that is enabled.
{ "data": { "id": "<serviceRequestId>", "creationTimestamp": 0, "adminProgress": "completed", "managementProfileName": "<created-management-profile-name>", "operation": "create", "groupAttributeName": "<group-membership-attribute-name>", "readOnlyGroupNames": [ "<group-name-1>", "<group-name-2>" ], "readWriteGroupNames": [ "<group-name-1>", "<group-name-3>" ], "type": "ldapManagementRequest" }, "meta": { "currentTime": 1622142431031 } }