Using APIC-EM in their secured network for device discovery and maintaining the device inventory. Need to connect that client APIC-EM from outside app with REST API. But as it is a secured HTTPS  need to have a certificate to install at my app side to satisfy the SSL.

A few Questions based on this.. 

1. Is Cisco provides the SSL certificate for APIC-EM REST API calls or vendor (in this case my client) need to provide this certificate ?
2. If I install the certificate in my app would I need to still add the token to each REST call I make ?
3. Is there anything I need to configure apart from SSL certificate to get connect to APIC-EM ?
4. As token is accepted as query param to rest api.

•   How secure is that ?
•   How often the token will expire ?.
•    When it expires how to handle those exception?

 using CA1 release ..

Installing cert on the app side (i.e. Client side) might mean two things:

(A) In case of CA1 (or even EFT2), one would install the APIC-EM’s self-signed *Server SSL cert* into the Trust Store of the client side in order for the client/App to trust APIC-EM. That is, if the client App has been configured to verify the cert that APIC-EM presents to it.

(B) Installing a cert at client/App might also mean setting a *Client SSL cert* in order for the client to present to the APIC-EM server to gain APIC-EM’s trust. That is, like server, client too presents its own cert to the server. We do not support it. Not yet.

1 Is Cisco provides the SSL certificate for APIC-EM REST API calls or vendor (in this case my client) need to provide this certificate ?

[Note] If your question means case A above, the APIC-EM has Grapevine’s self-signed cert as Controller’s server cert. If you mean case B, note that there is no client cert based auth.

2 If I install the certificate in my app would I need to still add the token to each REST call I make ?

[Note]  No client cert based auth at APIC-EM. So Token is the only way to use APIC-EM APIs. That is, client trusts the server by server’s cert. server trusts the client by token (implicitly username/password). Again, no mutual SSL cert auth yet.

3 Is there anything I need to configure apart from SSL certificate to get connect to APIC-EM ?

[Note] No client SSL cert support. (repeating myself just to be unambiguous)

4 As token is accepted as query param to rest api.

Header field X-Auth-Token carries the token and not HTTP payload/query param. The HTTPS is secure and private. Please see RBAC (Role Based Access Control) ref for token related ref.

[Note] (Only in CA 2 release) Default: 5 minutes idle timeout. Absolute timeout 6 hours.

[Note] (Only in CA 2 release) When they expire, the app has to gracefully handle and acquire new token.