VMware Aria Operations for Networks 6.14

6.14 6.13 6.12 6.11 6.10

Authentication using VMware Identity Management

Starting release 4.1.0 users can authenticate public APIs using VMware Identity Manager
Workflow for authentication using VMware Identity Manager.

Request client-id of password grant OAuth client registered at VMware Identity Manager

Password grant OAuth client is automatically created by VMware Aria Operations for Networks after VMware Identity Manager is successfully configured. This client-id along with user credentials is required while making an access token request to VMware Identity Manager.
Prerequisites
  • VMware Identity Manager must be configured & enabled in VMware Aria Operations for Networks.
Steps
  • To retrieve the client Id use the GET request.
Request:
		GET https://
operations-for-networks
.example.com/api/ni/auth/vidm/client-id
		Response:
			{
			  "vidm_appliance": "identity.domain.com",
			  "client_id": "g9xUFRr84K_pwd_grant"
			}

Get access token from VMware Identity Manager

Get the access token from VMware Identity Manager using "client_id" and "vidm_appliance". The response contains the access token which is further used to get the authentication token for accessing VMware Aria Operations for Networks public APIs.
Prerequisites
  • "client_id" and "vidm_appliance". (Refer previous section)
  • Credentials of the user.
Steps
  • To retrieve the access token use the POST request.
Request:
		POST https://identity.domain.com/SAAS/auth/oauthtoken?grant_type=password&client_id=g9xUFRr84K_pwd_grant&username=<username>&password=<password>
		Response:
			{
			  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJkMDkxZTlmOS0xZDViLTQ0ODctODk5YS03YTFhMGJjNjBkYmUiLCJwcm4iOiJ1c2VyMUBWUk5JLVZJRE0tVEVOQU5UMSIsImRvbWFpbiI6InZpZG1sYWJzLmNvbSIsInVzZXJfaWQiOiIxMyIsImF1dGhfdGltZSI6MTU1MjU4MjgxOSwiaXNzIjoiaHR0cHM6Ly92cm5pLXZpZG0tdGVuYW50MS5lbmcudm13YXJlLmNvbS9TQUFTL2F1dGgiLCJhdWQiOiJodHRwczovL3ZybmktdmlkbS10ZW5hbnQxLmVuZy52bXdhcmUuY29tL1NBQVMvYXV0aC9vYXV0aHRva2VuIiwiY3R4IjoiW3tcIm10ZFwiOlwidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnRcIixcImlhdFwiOjE1NTI1ODI4MTksXCJpZFwiOjE1fV0iLCJzY3AiOiJvcGVuaWQgcHJvZmlsZSB1c2VyIGVtYWlsIiwiaWRwIjoiMCIsImVtbCI6InVzZXIxQHZtd2FyZS5jb20iLCJjaWQiOiJnOXhVRlJyODRLX3B3ZF9ncmFudCIsImRpZCI6IiIsIndpZCI6IiIsImV4cCI6MTU1MjU5MzYxOSwiaWF0IjoxNTUyNTgyODE5LCJzdWIiOiIzMjhkN2E0ZS0zYTU4LTRiOTktOGQwOC04MWQzMDMzMzRkZjUiLCJwcm5fdHlwZSI6IlVTRVIifQ.i5QWkrsrjReLJiKnkxqrZ-4CAcjqWn0NjDWBDHxMPtTW4CEV_Hz_8izwIC7mG5wgoy5z1Zj7Ur9h08j3Xpy1saI3ZqRUNZZ0F9ffqI1bUDOR-4yUhvjUmonRgRblbql6qr5Q_CxDu_tHa65u0SbBcJCwhFPoS7H5r0Ue7ZoofZYFzc0yh2exkDC000GzcuVgTTysLKtl17d3-2zF0K6U6ut-5L80f8LQSm59OA3LFRMHYyWktFFD5-js5TvBU4jElWeZoZICFpxaA6Jk9UIVoAcz4SG0thkyZUSmfPi8S_Ty61G_Ll3M-3RxEXdmJWBLuCfzzSmNWJar-e8HFtmvqg","token_type": "Bearer","expires_in": 10799,"scope": "user"
			}

Acquire an authentication token for user mapped through VMware Identity Manager

Prerequisites
  • VMware Identity Manager must be configured & enabled in VMware Aria Operations for Networks.
  • Access token must be obtained from VMware Identity Manager.
Steps
  • POST a request to the authentication URL to acquire token for VMware Identity Manager users
Request:
		POST https://operations-for-networks.example.com/api/ni/auth/token/vidm
			Content-type : application/json
			Accept : application/json
			Body:
				{
  					"vidm_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJkMDkxZTlmOS0xZDViLTQ0ODctODk5YS03YTFhMGJjNjBkYmUiLCJwcm4iOiJ1c2VyMUBWUk5JLVZJRE0tVEVOQU5UMSIsImRvbWFpbiI6InZpZG1sYWJzLmNvbSIsInVzZXJfaWQiOiIxMyIsImF1dGhfdGltZSI6MTU1MjU4MjgxOSwiaXNzIjoiaHR0cHM6Ly92cm5pLXZpZG0tdGVuYW50MS5lbmcudm13YXJlLmNvbS9TQUFTL2F1dGgiLCJhdWQiOiJodHRwczovL3ZybmktdmlkbS10ZW5hbnQxLmVuZy52bXdhcmUuY29tL1NBQVMvYXV0aC9vYXV0aHRva2VuIiwiY3R4IjoiW3tcIm10ZFwiOlwidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnRcIixcImlhdFwiOjE1NTI1ODI4MTksXCJpZFwiOjE1fV0iLCJzY3AiOiJvcGVuaWQgcHJvZmlsZSB1c2VyIGVtYWlsIiwiaWRwIjoiMCIsImVtbCI6InVzZXIxQHZtd2FyZS5jb20iLCJjaWQiOiJnOXhVRlJyODRLX3B3ZF9ncmFudCIsImRpZCI6IiIsIndpZCI6IiIsImV4cCI6MTU1MjU5MzYxOSwiaWF0IjoxNTUyNTgyODE5LCJzdWIiOiIzMjhkN2E0ZS0zYTU4LTRiOTktOGQwOC04MWQzMDMzMzRkZjUiLCJwcm5fdHlwZSI6IlVTRVIifQ.i5QWkrsrjReLJiKnkxqrZ-4CAcjqWn0NjDWBDHxMPtTW4CEV_Hz_8izwIC7mG5wgoy5z1Zj7Ur9h08j3Xpy1saI3ZqRUNZZ0F9ffqI1bUDOR-4yUhvjUmonRgRblbql6qr5Q_CxDu_tHa65u0SbBcJCwhFPoS7H5r0Ue7ZoofZYFzc0yh2exkDC000GzcuVgTTysLKtl17d3-2zF0K6U6ut-5L80f8LQSm59OA3LFRMHYyWktFFD5-js5TvBU4jElWeZoZICFpxaA6Jk9UIVoAcz4SG0thkyZUSmfPi8S_Ty61G_Ll3M-3RxEXdmJWBLuCfzzSmNWJar-e8HFtmvqg"
				}
		Response:
			{
  				"token": "KxlrQZeVHhPsBbDOTu5Xzw==",
  				"expiry": 1552600841923
			}

Configuring VMware Identity Manager with VMware Aria Operations for Networks

VMware Aria Operations for Networks supports SSO authentication through VMware Identity Manager. To authenticate against a particular VMware Identity Manager appliance, it must be configured & enabled in VMware Aria Operations for Networks.
Prerequisites
  • Register VMware Aria Operations for Networks as an OAuth client (Service client) to VMware Identity Manager appliance
  • The user performing this action must hold administrator priveleges.
Steps
  • POST a request to the settings URL for VMware Identity Manager
  • sha_thumbprint is an optional field (must be kept as an empty string if thumbprint validation is not required)
Request:
		POST https://operations-for-networks.example.com/api/ni/settings/vidm
			Content-type : application/json
			Accept : application/json
			Authorization : NetworkInsight {auth-token}
			Body:
				{
					"vidm_appliance" :     "identity.domain.com",
					"client_id" : "operations_for_networks_client",
					"client_secret" : "operations_for_networks_secret",
					"sha_thumbprint" : "",
					"enable" : "true"
				}
                   Response:
                   {
  				"vidm_appliance": "identity.domain.com",
  				"client_id": "operations_for_networks_client",
 				"enable": true
	           }

Updating VMware Identity Manager Configuration

Prerequisites
  • VMware Identity Manager must be configured in VMware Aria Operations for Networks.
  • The user performing this action must hold administrator priveleges.
Steps
  • PUT request to the settings URL for VMware Identity Manager.
  • sha_thumbprint is an optional field (must be kept as an empty string if thumbprint validation is not required)
Request:
			PUT https://operations-for-networks.example.com/api/ni/settings/vidm
			Content-type : application/json
			Accept : application/json
			Authorization : NetworkInsight {auth-token}
			Body:
				{
					"vidm_appliance" : "identity.domain.com",
					"client_id" : "operations_for_networks_client",
					"client_secret" : "operations_for_networks_secret",
					"sha_thumbprint" : "",
					"enable" : "true"
				}
                        Response:
			{
  				"vidm_appliance": "identity.domain.com",
  				"client_id": "operations_for_networks_client",
 				"enable": true
			}

Fetching VMware Identity Manager configuration

Prerequisites
  • VMware Identity Manager must be configured in VMware Aria Operations for Networks.
  • The user performing this action must hold administrator priveleges.
Steps
  • GET request to the settings URL for VMware Identity Manager
  • sha_thumbprint is an optional field (must be kept as an empty string if thumbprint validation is not required)
Request:
			GET https://operations-for-networks.example.com/api/ni/settings/vidm
			Authorization : NetworkInsight {auth-token}

		Response:
			{
  				"vidm_appliance": "identity.domain.com",
  				"client_id": "operations_for_networks_client",
 				"enable": true
			}

Deleting the existing VMware Identity Manager Configuration in Operations for Networks

Deleting the VMware Identity Manager configuration eventually removes corresponding users & user-groups (those mapped through VMware Identity Manager) from VMware Aria Operations for Networks.
Prerequisites
  • VMware Identity Manager must be configured in VMware Aria Operations for Networks.
  • The user performing this action must have administrator priveleges.
Steps
  • DELETE request to the settings URL for VMware Identity Manager.
Request:
			DELETE https://operations-for-networks.example.com/api/ni/settings/vidm
			Authorization : NetworkInsight {auth-token}

		Response:
			HTTP 204 (No-content)

Integrating VMware Identity Manager in VMware Aria Operations for Networks

Prerequisites
  • VMware Identity Manager must be configured in VMware Aria Operations for Networks.
  • The user performing this action must hold administrator priveleges.
Steps
  • POST request to the settings URL for VMware Identity Manager enable operation.
Request:
		POST https://operations-for-networks.example.com/api/ni/settings/vidm/enable
			Authorization : NetworkInsight {auth-token}

		Response:
			HTTP 204 (No-content)

Disabling the Integration of VMware Identity Manager in VMware Aria Operations for Networks

Prerequisites
  • VMware Identity Manager must be configured in VMware Aria Operations for Networks.
  • The user performing this action must hold administrator priveleges.
Steps
  • POST request to the settings URL for VMware Identity Manager disable operation
Request:
	POST https://operations-for-networks.example.com/api/ni/settings/vidm/disable
			Authorization : NetworkInsight {auth-token}

		Response:
			HTTP 204 (No-content)

Adding a user mapped through VMware Identity Manager

Prerequisites
  • VMware Identity Manager must be configured in VMware Aria Operations for Networks.
  • The user performing this action must hold administrator priveleges to manage user and user-groups.
Steps
  • POST request to the users settings URL for VMware Identity Manager
  • Expected values for "role" = {"ADMIN", "MEMBER"}
Request:
	        PUT https://operations-for-networks.example.com/api/ni/settings/users/vidm
			Content-type : application/json
			Accept : application/json
			Authorization : NetworkInsight {auth-token}
			Body:
				{
				  "username": "testuser",
				  "domain": "vidmlabs.com",
				  "display_name": "test user",
				  "role": "MEMBER"
				}
		Response:
			{
			  "user_type": "VIDM",
			  "id": "testuser@vidmlabs.com",
			  "role": "MEMBER",
			  "username": "testuser",
			  "domain": "vidmlabs.com",
			  "display_name": "test user"
			}

Updating role for user mapped through VMware Identity Manager

Prerequisites
  • VMware Identity Manager must be configured in VMware Aria Operations for Networks.
  • The user performing this action must hold administrator priveleges to manage user and user-groups.
  • User (whose role is getting updated) is already added in VMware Aria Operations for Networks.
Steps
  • PUT request to the users settings URL for VMware Identity Manager
  • Expected values for "role" = {"ADMIN", "MEMBER"}
Request:
		PUT https://operations-for-networks.example.com/api/ni/settings/users/vidm
			Content-type : application/json
			Accept : application/json
			Authorization : NetworkInsight {auth-token}
			Body:
				{
				  "username": "testuser",
				  "domain": "vidmlabs.com",
				  "display_name": "test user",
				  "role": "MEMBER"
				}
		Response:
			{
			  "user_type": "VIDM",
			  "id": "testuser@vidmlabs.com",
			  "role": "MEMBER",
			  "username": "testuser",
			  "domain": "vidmlabs.com",
			  "display_name": "test user"
			}

Listing all the user details

Prerequisites
  • User performing this action must have adequate permissions (admin user) to manage users and user-groups.
Steps
  • GET request to the userS settings URL
  • Mandatory query param : "type", expected values = {"vidm", "local", "ldap"}
  • Optional query param : "size", "cursor"
Request:
	GET https://operations-for-networks.example.com/api/ni/settings/users?type=vidm
	Authorization : NetworkInsight {auth-token}
		Response:
			{
			  "results": [
			    {
			      "user_type": "VIDM",
			      "id": "testuser1@vidmlabs.com",
			      "role": "MEMBER",
			      "username": "testuser1",
			      "domain": "vidmlabs.com",
			      "display_name": "test user1"
			    },
			    {
			      "user_type": "VIDM",
			      "id": "testuser2@vidmlabs.com",
			      "role": "MEMBER",
			      "username": "testuser2",
			      "domain": "vidmlabs.com",
			      "display_name": "test user2
			    }
			  ],
			  "cursor": "Mg==",
			  "total_count": 3
			}

Fetching User Details

According to the current version, the API only return details of user mapped through VMware Identity Manager. Details of local/ldap user is not yet supported.
Prerequisites
  • User performing this action must have administrator permissions to manage users and user-groups.
Steps
  • GET request to the user settings URL.
  • "id" for the user must be provided as path parameter (URL-Encoded format)
Request:
		GET https://operations-for-networks.example.com/api/ni/settings/users/testuser1@sytem%20domain
			Authorization : NetworkInsight {auth-token}
		Response:
		    {
		      "user_type": "VIDM",
		      "id": "testuser1@system domain",
		      "role": "MEMBER",
		      "username": "testuser1",
		      "domain": "system domain",
		      "display_name": "test user1"
		    }

Deleting an existing User

The API is currently restricted to deletion of users mapped through VMware Identity Manager. Local/ldap users deletion is not yet supported.
Prerequisites
  • User performing this action must have administrator permissions to manage users and user-groups.
Steps
  • DELETE request to the users settings URL.
  • "id" for the user must be provided as path parameter (URL-Encoded format).
Request:
			DELETE https://operations-for-networks.example.com/api/ni/settings/users/testuser1@sytem%20domain
			Authorization : NetworkInsight {auth-token}

		Response:
			HTTP 204 (No-content)

Adding a user-group through VMware Identity Manager

Prerequisites
  • VMware Identity Manager must be configured in VMware Aria Operations for Networks.
  • User performing this action must have adequate permissions (admin user) to manage users and user-groups.
Steps
  • POST request to the user-groups settings URL for VMware Identity Manager.
  • Expected values for "role" = {"ADMIN", "MEMBER"} .
Request:
			POST https://operations-for-networks.example.com/api/ni/settings/user-groups/vidm
			Content-type : application/json
			Accept : application/json
			Authorization : NetworkInsight {auth-token}
			Body:
				{
				  "group_name": "testgroup1",
				  "domain": "vidmlabs.com",
				  "role": "MEMBER"
				}
		Response:
			{
			  "group_type": "VIDM",
			  "id": "testgroup1@vidmlabs.com",
			  "group_name": "testgroup1",
			  "domain": "vidmlabs.com",
			  "role": "MEMBER"
			}

Updating the role for user-group mapped through VMware Identity Manager

Prerequisites
  • VMware Identity Manager must be configured in VMware Aria Operations for Networks.
  • User performing this action must have adequate permissions (admin user) to manage users and user-groups.
  • User-group (whose role is getting updated) is already added in VMware Aria Operations for Networks.
Steps
  • PUT request to the user-groups settings URL for VMware Identity Manager.
Request:
			PUT https://operations-for-networks.example.com/api/ni/settings/user-groups/vidm
			Content-type : application/json
			Accept : application/json
			Authorization : NetworkInsight {auth-token}
			Body:
				{
				  "group_name": "testgroup1",
				  "domain": "vidmlabs.com",
				  "role": "ADMIN"
				}
		Response:
			{
			  "group_type": "VIDM",
			  "id": "testgroup1@vidmlabs.com",
			  "group_name": "testgroup1",
			  "domain": "vidmlabs.com",
			  "role": "ADMIN"
			}

Listing details of all the user-groups

Currently this API only return results for user-groups mapped through VMware Identity Manager. Results for other user-groups is not yet supported.
Prerequisites
  • User performing this action must have adequate permissions (admin user) to manage users and user-groups.
Steps
  • GET request to the user-groups settings URL.
  • Mandatory query param : "type", expected values = {"vidm", "local", "ldap"}.
  • Optional query param : "size", "cursor".
Request:
			GET https://operations-for-networks.example.com/api/ni/settings/user-groups?type=vidm
			Authorization : NetworkInsight {auth-token}
		Response:
			{
	  		"results": [
    			{
				  "group_type": "VIDM",
				  "id": "testgroup1@vidmlabs.com",
				  "group_name": "testgroup1",
				  "domain": "vidmlabs.com",
				  "role": "ADMIN"
				},
    			{
				  "group_type": "VIDM",
				  "id": "testgroup2@vidmlabs.com",
				  "group_name": "testgroup2",
				  "domain": "vidmlabs.com",
				  "role": "MEMBER"
				}
			  ],
			  "cursor": "Mg==",
			  "total_count": 3
			}

Fetching details of a user-group

Currently this API only return details of user-group mapped through VMware Identity Manager. Retreiving details of other user-groups is not yet supported.
Prerequisites
  • User performing this action must have adequate permissions (admin user) to manage users and user-groups.
Steps
  • GET request to the user-groups settings URL.
  • "id" for the user-group must be provided as path parameter (URL-Encoded format).
Request:
			GET https://operations-for-networks.example.com/api/ni/settings/users/sysadmins@sytem%20domain
			Authorization : NetworkInsight {auth-token}
		Response:
			{
			  "group_type": "VIDM",
			  "id": "sysadmins@system domain",
			  "group_name": "sysadmins",
			  "domain": "vidmlabs.com",
			  "role": "ADMIN"
			}

Deleting an existing user-group

This API is currently restricted to deletion of user-groups mapped through VMware Identity Manager.
Prerequisites
  • User performing this action must have adequate permissions (admin user) to manage users and user-groups.
Steps
  • DELETE request to the user-groups settings URL
  • "id" for the user-group must be provided as path parameter (URL-Encoded format)
Request:
			DELETE https://operations-for-networks.example.com/api/ni/settings/users/sysadmins@sytem%20domain
			Authorization : NetworkInsight {auth-token}
			
		Response:
			HTTP 204 (No-content)

Content feedback and comments