Instructions for authenticating against EDAA using Smarts CAS (Central Authentication Service) via command-line tools
search cancel

Instructions for authenticating against EDAA using Smarts CAS (Central Authentication Service) via command-line tools

book

Article ID: 425801

calendar_today

Updated On:

Products

VMware Smart Assurance Network Observability

Issue/Introduction

This document outlines the steps to run EDAA queries using curl when CAS authentication is enabled in Smarts.
This method is suitable for:

  • Automated scripts and scheduled jobs
  • CI/CD pipelines
  • Non-interactive authentication workflows

Environment

All Supported Smarts releases

Resolution

Prerequisites: 

  • Curl Package (version 7.x or higher) needs to be installed.
  • OpenSSL Package needs to be installed
  • The connectivity should exist between the EDAA Server and the CAS server.
  • The following ports needs to be open from the system where the curl commands will be run:
    • For EDAA (Default http port 8080, Default https port : 8443)
    • For CAS (Default http port 8081, Default https port : 8444) 

Understanding the CAS Authentication Flow

CAS natively supports ticket-based authentication, for direct API access. The standard CAS flow requires multiple steps:

  • Authenticate with CAS to obtain a Ticket Granting Ticket (TGT)
  • Use the TGT to request a Service Ticket (ST) for the specific EDAA service URL
  • Invoke the EDAA API by appending the service ticket as a request parameter

Key Concepts

  • TGT (Ticket Granting Ticket): Master ticket valid for multiple service ticket requests (default: 2 hours)
  • ST (Service Ticket): Single-use ticket for a specific service (default: 10 seconds)
  • Service URL: The exact URL of the protected resource you want to access

SSL/TLS Authentication

Use this method for environments with SSL/TLS encryption.

Additional Prerequisites for SSL: You need a CA certificate file to verify the server's SSL certificate. 

Step 1: Obtain TGT (SSL)
Purpose: Authenticate with your username and password to receive a TGT. 

TGT - SSL
 
curl --location '<CAS_PROTOCOL>://<CAS_HOSTNAME>:<CAS_PORT>/cas/v1/tickets' \ --cacert <CA_CERT_PATH> \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'username=<USERNAME>' \ --data-urlencode 'password=<PASSWORD>' Example with Sample Values: curl --location 'https://HOSTNAME:8444/cas/v1/tickets' \ --cacert /tmp/edaacas.cert \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'username=username' \ --data-urlencode 'password=password' Expected Response: HTTP/1.1 201 Created Location: https://HOSTNAME:8444/cas/v1/tickets/TGT-1-rJe0uDG5FFcivlm8Ve0PZYql8fxLwCMgwvZsHGzYGOFwYk2oWM-eAQvtr18Noq-mDEs-Dummy-Host
...

Extract the TGT URL from the Location header:
https://HOSTNAME:8081/cas/v1/tickets/TGT-5-XR9LUUes8vW0MJF-Sam8UL9bwfDns5R5y8gdzZckKykQnPjOmLf57xqh60a8oMEftAs-Dummy-Host

where: Dummy-Host is the variable and may vary based on your environment

Step 2: Request Service Ticket (SSL)
Purpose: Exchange your TGT for a service-specific ticket to access a particular EDAA API endpoint.
Note: The service parameter must exactly match the URL you will use in Step 3 (excluding the ticket parameter).

ST - SSL
 
curl --location '<TGT_URL>' \ --cacert <CA_CERT_PATH> \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'service=<EDAA_PROTOCOL>://<EDAA_HOSTNAME>:<EDAA_PORT>/<API_ENDPOINT>?<QUERY_PARAMS>' Example with Sample Values: curl --location 'https://HOSTNAME:8081/cas/v1/tickets/TGT-5-XR9LUUes8vW0MJF-Sam8UL9bwfDns5R5y8gdzZckKykQnPjOmLf57xqh60a8oMEftAs-Dummy-Host' \ --cacert /tmp/edaacas.cert \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'service=https://HOSTNAME:8443/alerts-edaa/msa/alerts/types/ManagedAlert/instances?alt=json&pretty=true' Expected Response: ST-1-KCexhSRH6sAAIBHzCN91IDa-rsU-Dummy-Host
where: Dummy-Host is the variable and may vary based on your environment

This is your Service Ticket - save it for the next step.
Note: Service Tickets (ST) expire in 10 seconds by default. Hence the next step which uses the Server Ticket(ST), need to be run within 10 secs.

Step 3: Access Protected API Resource (SSL)
Purpose: Use the Service Ticket to access your EDAA API endpoint.

EDAA RESPONSE - SSL
 
curl --cacert <CA_CERT_PATH> \ --location --request <HTTP_METHOD> \ '<EDAA_PROTOCOL>://<EDAA_HOSTNAME>:<EDAA_PORT>/<API_ENDPOINT>?<QUERY_PARAMS>&ticket=<SERVICE_TICKET>' Example GET Request: curl --cacert /tmp/edaacas.cert \ --location --request GET \ 'https://HOSTNAME:8443/alerts-edaa/msa/alerts/types/ManagedAlert/instances?alt=json&pretty=true&ticket=ST-1-KCexhSRH6sAAIBHzCN91IDa-rsU-Dummy-Host'

Expected Response:
EDAA API Response 
 

Non-SSL Authentication:

Use this method for internal networks without SSL/TLS encryption

Step 1: Obtain Ticket Granting Ticket (TGT)
Purpose: Authenticate with your username and password to receive a TGT. 

TGT
 
curl --location '<CAS_PROTOCOL>://<CAS_HOSTNAME OR CAS_IP>:<CAS_PORT>/cas/v1/tickets' \   --header 'Content-Type: application/x-www-form-urlencoded' \   --data-urlencode 'username=<USERNAME>' \   --data-urlencode 'password=<PASSWORD>' Example with Sample Values: curl --location 'http://#.#.#.#:8081/cas/v1/tickets' \   --header 'Content-Type: application/x-www-form-urlencoded' \   --data-urlencode 'username=username' \   --data-urlencode 'password=password' Expected Response: HTTP/1.1 201 Created Location: http://#.#.#.#:8081/cas/v1/tickets/TGT-5-XR9LUUes8vW0MJF-Sam8UL9bwfDns5R5y8gdzZckKykQnPjOmLf57xqh60a8oMEftAs-Dummy-Host
Content-Type: text/html;charset=utf-8 <!DOCTYPE HTML ...> <h1>TGT Created</h1> ... Extract the TGT URL from the Location header:
http://#.#.#.#:8081/cas/v1/tickets/TGT-5-XR9LUUes8vW0MJF-Sam8UL9bwfDns5R5y8gdzZckKykQnPjOmLf57xqh60a8oMEftAs-Dummy-Host
where: Dummy-Host is the variable and may vary based on your environment

Step 2: Request Service Ticket (ST)
Purpose: Exchange your TGT for a service-specific ticket to access a particular EDAA API endpoint.
Note: The service parameter must exactly match the URL you will use in Step 3 (excluding the ticket parameter).

Service Ticket
 
curl --location '<TGT_URL>' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'service=<EDAA_PROTOCOL>://<EDAA_HOSTNAME OR EDAA_IP>:<EDAA_PORT>/<API_ENDPOINT>?<QUERY_PARAMS>' Example with Sample Values: curl --location 'http://#.#.#.#:8081/cas/v1/tickets/TGT-5-XR9LUUes8vW0MJF-Sam8UL9bwfDns5R5y8gdzZckKykQnPjOmLf57xqh60a8oMEftAs-Dummy-Host' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'service=http://#.#.#.#:8080/alerts-edaa/msa/alerts/types/ManagedAlert/instances?alt=json&pretty=true' Expected Response: ST-7-2C9kF47wT9A-wucpqbbwafGymmU-Dummy-Host
where: Dummy-Host is the variable and may vary based on your environment

This is your Service Ticket - save it for the next step.
Note: Service Tickets (ST) expire in 10 seconds by default. Hence the next step which uses the Server Ticket(ST), need to be run within 10 secs.

Step 3: Access Protected API Resource
Purpose: Use the Service Ticket to access your EDAA API endpoint.

Access the EDAA Api
 
curl --location --request <HTTP_METHOD> '<EDAA_PROTOCOL>://<EDAA_HOSTNAME OR EDAA_IP>:<EDAA_PORT>/<API_ENDPOINT>?<QUERY_PARAMS>&ticket=<SERVICE_TICKET>' Example GET Request: curl --location --request GET 'http://#.#.#.#:8080/alerts-edaa/msa/alerts/types/ManagedAlert/instances?alt=json&pretty=true&ticket=ST-7-2C9kF47wT9A-wucpqbbwafGymmU-Dummy-Host' Expected Response: EDAA API Response

 

Powered by Wolken Software