Using APIC-EM in their secured network for device discovery and maintaining the device inventory. Need to connect that client APIC-EM from outside app with REST API. But as it is a secured HTTPS need to have a certificate to install at my app side to satisfy the SSL.
A few Questions based on this..
- Is Cisco provides the SSL certificate for APIC-EM REST API calls or vendor (in this case my client) need to provide this certificate ?
- If I install the certificate in my app would I need to still add the token to each REST call I make ?
- Is there anything I need to configure apart from SSL certificate to get connect to APIC-EM ?
- As token is accepted as query param to rest api.
- How secure is that ?
- How often the token will expire ?.
- When it expires how to handle those exception?
using CA1 release ..
Installing cert on the app side (i.e. Client side) might mean two things:
(A) In case of CA1 (or even EFT2), one would install the APIC-EM’s self-signed *Server SSL cert* into the Trust Store of the client side in order for the client/App to trust APIC-EM. That is, if the client App has been configured to verify the cert that APIC-EM presents to it.
(B) Installing a cert at client/App might also mean setting a *Client SSL cert* in order for the client to present to the APIC-EM server to gain APIC-EM’s trust. That is, like server, client too presents its own cert to the server. We do not support it. Not yet.
1 Is Cisco provides the SSL certificate for APIC-EM REST API calls or vendor (in this case my client) need to provide this certificate ?
[Note] If your question means case A above, the APIC-EM has Grapevine’s self-signed cert as Controller’s server cert. If you mean case B, note that there is no client cert based auth.
2 If I install the certificate in my app would I need to still add the token to each REST call I make ?
[Note] No client cert based auth at APIC-EM. So Token is the only way to use APIC-EM APIs. That is, client trusts the server by server’s cert. server trusts the client by token (implicitly username/password). Again, no mutual SSL cert auth yet.
3 Is there anything I need to configure apart from SSL certificate to get connect to APIC-EM ?
[Note] No client SSL cert support. (repeating myself just to be unambiguous)
4 As token is accepted as query param to rest api.
Header field X-Auth-Token carries the token and not HTTP payload/query param. The HTTPS is secure and private. Please see RBAC (Role Based Access Control) ref for token related ref.
[Note] (Only in CA 2 release) Default: 5 minutes idle timeout. Absolute timeout 6 hours.
[Note] (Only in CA 2 release) When they expire, the app has to gracefully handle and acquire new token.