Getting Started
Scsitgt Initiators
Appliance Pools
Dd Systems
Stats Capacities
Alerts
Alerts Notifylists
Cloud Profiles
Cloud Unit
Data Movement Policy
Data Movement
Data Movement Stats Files
Data Movement Stats Mtrees
Data Movement Stats Recall
Managed Files
Filesys
Licenses
Mdtags
Mtrees
Mtrees Id Rlfiles
Mtrees Id Stats
Mtrees Id Stats Capacity
Mtree Id Stats Compressions
Networks
Network
Network Nic
Cifs Shares
Ddboost
Ddboost Clients
Ddboost Storage Units
Ddboost Users
Nfs Exports
Nfs Exports Id Clients
Nfs Exports Id Referrals
Vdisk Devgrps
Vdisk Devices
Vdisk Pools
Vdisk Stimgs
Repl Contexts
Scsitgt Access Groups
Scsitgt Endpoints
Auth
Services
Services Asup
Services Asup Reset
Iscsi
Services License Server
Services Log
Mdtags Services
Services Ntp
Snmp
Settings
Tenant Units
Tenants
Snapshots
Stats
Stats Capacity
Comp Measurements Support Check
Comp Measurements
Stats File Replications
Filesys Stats
Stats Perf
Stats Performances Mtrees
Stats Systems File Replications
Stats Upgrades Schedules
Support Bundles
System
System Repl
System Space
Upgrades Schedules
Users
Users Id Pre Check
Sites
Config Template Audit
Config Template Audit History
Config Template Audit Schedule
Config Template
Config Templates Features
Config Template Apply
Profile Access Info
Resource Profile
Tasks

Authentication and Authorization

In this tutorial, you can learn about authentication and authorization using REST API in the PowerProtect DDMC system.

Authentication

For a client to use PowerProtect DDMC system REST API, the client must first authenticate the user through the RESTful server on the DDMC system. The RESTful server also performs RBAC (Role Base Access Control) to authorize the user according to their role in the system. Client authentication can be performed in the following two ways:

Using username and password

The client must send an authentication request with the required username and password. Valid users can be authorized by the RESTful server on the DDMC system by providing an authentication token in the HTTP response header.

curl --request POST \
     --url https://<DDMC-SYSTEM-IP/FQDN>:3009/rest/v1.0/auth \
     --data '{"username":"<your-user-name>","password":"<your-password>"}'

Sample response:

< HTTP/1.1 201 Created
< Content-Type: application/json
< Content-Length: 165
< X-DD-AUTH-TOKEN: dd31fb722e4e359ad7a5cb3de66086766
< X-DD-UUID: 11e3b3f23ccb590b:a0ae3cd21ebdb52d
< Access-Control-Allow-Credentials: true
< Cache-Control: no-cache
< Server: Data Domain OS
< Access-Control-Expose-Headers: AUTHORIZATION, X-DD-AUTH-TOKEN, X-DD-JSON-RESPONSE-WITH-ROOT, X-DD-PEER-USERNAME
<
{"details": "success", "code": 0, "link": [{"rel": "related", "href": "/rest/v1.0/system"}, {"rel": "related", "href": "/rest/v1.0/dd-systems"}]}   

The subsequent API calls must include X-DD-AUTH-TOKEN in the HTTP request header. The default session timeout is 30 minutes. Edit the registry to change session timeout value if needed.

--header 'X-DD-AUTH-TOKEN: <your-auth-token>'

Certificate-based authentication

The authentication and authorization process is the PowerProtect DDMC in-house client certification verification process through the PowerProtect DDMC REST API. This process is run on top of the SSL layer. The normal SSL handshake and verification through HTTPS between client and server must complete before the authentication and authorization process begins. The client certificate mechanism uses a strong public key infrastructure and a symmetric cryptography. The mechanism provides a secure way to access PowerProtect DDMC systems. The client certificate must contain the user information (user-name). This user must be a valid, local Network Information Service (NIS) or Active Directory (AD) user on the server side (that is, on the Data Domain Management Center or standard Data Domain system). The following sections provide procedures for preparing client and server for certificate-based authentication.

Prepare the client

You can prepare the client side certificate-based authentication (CA) in the following way:

  1. Obtain the CA certificate and the client certificate. The client must obtain the CA certificate and the client certificate with a valid local or name service (NIS or AD) username on the PowerProtect DDMC system.
  2. Import the CA certificate on the DDMC system. For example:
ssh sysadmin@<DDMC-SYSTEM-IP/FQDN> adminaccess certificate import ca application login-auth < cacert.pem
  1. Copy the DDMC system CA certificate to the client system. If required, you can copy the DDMC system CA certificate and save it on the local system so the system can verify the server communication. You can use OpenSSL to get the public CA of the DDMC system. For example:
openssl s_client -showcerts -connect 10.213.217.78:3009  < /dev/null
CONNECTED(00000003)
depth=1 C = US, ST = CA, L = Santa Clara, O = Valued Datadomain Customer, OU = Root CA, CN = ddmc-7.3-1.brs.lab.emc.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=US/ST=CA/OU=Host Certificate/O=Valued DataDomain customer/CN=ddmc-7.3-1.brs.lab.emc.com
   i:/C=US/ST=CA/L=Santa Clara/O=Valued Datadomain Customer/OU=Root CA/CN=ddmc-7.3-1.brs.lab.emc.com
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEjMCEGA1UECgwaVmFs
dWVkIERhdGFkb21haW4gQ3VzdG9tZXIxEDAOBgNVBAsMB1Jvb3QgQ0ExKDAmBgNV
BAMMH2hlbWEtZGRtYy03LjMtMS5icnMubGFiLmVtYy5jb20wHhcNMTkwNzEwMTYz
OTQ2WhcNMjUwNzA5MjMzOTQ2WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
MRkwFwYDVQQLDBBIb3N0IENlcnRpZmljYXRlMSMwIQYDVQQKDBpWYWx1ZWQgRGF0
YURvbWFpbiBjdXN0b21lcjEoMCYGA1UEAwwfaGVtYS1kZG1jLTcuMy0xLmJycy5s
YWIuZW1jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcAsCBv
COnvs5PJeR37P4PBTKyNcmxeAv3Zk2QZkSlMHmWrn9agKuzj/HBo86a7/eWcDXDq
DU9Q42ShU2SklrG8jmqMEyesvKl3s41p4/y4fNzGFOqIDM3LMuLuVIycg6Abl5ea
CzAYqYpGVX7nMU9GExZAQU/2X2EHJewh9n0rTqKcfHPsN9XuQky2fyqOTXWflZLz
gVAhEOr+WO/vS3hbZoSduFoKo87gcCWW46qKpZMB1k9bej4VA3Qpf0Nz3yEjolT+
KIXiDDBV0ngrjsi9eG3Z+3JDEcayD3dL4WjsLqDdjXS2twiTFS4CjnjERPKjvlWW
HwYNDS6Y55QsZG0CAwEAAaNuMGwwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDAGA1UdEQQpMCeCH2hlbWEt
ZGRtYy03LjMtMS5icnMubGFiLmVtYy5jb22HBArV2U4wDQYJKoZIhvcNAQELBQAD
ggEBAKhhTzqIy0dRNs7uYfITA2PTyaDiNWrDvW70zyfFar/g/l3i/sArT99QnGOZ
tn9Di+iD8W19qFn/u6rgXORkfi074PeHvz6ZeidiP6rP0WKrS+BbpcTxGKVOcVi+
iGaauIkSN1ZIgikhTf5pGit56UiSoU4NrPT621VEMe/WiKcxEiKS0IHbdpPEP2tj
XCJz1uulgVP1VOSwc5hhd0wO4P38Xb2L7G84IZ+R7I2GTvh2Equu3iOq89aGgTMb
M1Pb5fvB14Npmm+SkMmO55NW8Ioz/Nk+Gn6C+rBDMYQGj4IiaxG9+QvUvI1lo34P
KL7IsKcjisCZSccICu2SjDzDuKY=
-----END CERTIFICATE-----
 1 s:/C=US/ST=CA/L=Santa Clara/O=Valued Datadomain Customer/OU=Root CA/CN=ddmc-7.3-1.brs.lab.emc.com
   i:/C=US/ST=CA/L=Santa Clara/O=Valued Datadomain Customer/OU=Root CA/CN=ddmc-7.3-1.brs.lab.emc.com
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEjMCEGA1UECgwaVmFs
dWVkIERhdGFkb21haW4gQ3VzdG9tZXIxEDAOBgNVBAsMB1Jvb3QgQ0ExKDAmBgNV
BAMMH2hlbWEtZGRtYy03LjMtMS5icnMubGFiLmVtYy5jb20wHhcNMTkwNzExMjMz
OTQ2WhcNMjUwNzA5MjMzOTQ2WjCBkTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
MRQwEgYDVQQHDAtTYW50YSBDbGFyYTEjMCEGA1UECgwaVmFsdWVkIERhdGFkb21h
aW4gQ3VzdG9tZXIxEDAOBgNVBAsMB1Jvb3QgQ0ExKDAmBgNVBAMMH2hlbWEtZGRt
Yy03LjMtMS5icnMubGFiLmVtYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCxnRBkwouadWy4o8vLIhe4ZSjred8v8Qc5qQLBsku0ner2JHOFcLbv
fT0w0HLhXJ0J6tohhX+2JYwEvln9C49YPQPBadNcT9onW2PlEyDP7Pcjg0f6oh+c
Cux5GE/P/InS/dymVFqIYI6JF806RDa6q+MGw4hoFo1DIgZVR/xV1Ah/ubc/neLQ
cJlBwm6k0D2CCNqCr4EYKa6dTUR8tdcu0soYHD/KW0N42g1TpJbz7HSS1EYJn5ay
HbWA4CbE8JV0HIkEEKYXe1MTcAzscfiIA7GmH2qcf9VXjBbxv9PGLMqw05CWsCat
KCQ2ehQH1LUy6l7/VpvqXrm+vQPJLLoPAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBACXKJP3bprbwyOSVs1M9mcqkrVUAQXn70iNrWtLe
5BZ9IlVR996OGJrkuGKYQvWUCnGFtcq9ugJ7L/UKuKHP86EsNJ5U3TeH9q5WDl8k
Muz+LIbkiNY43KiRoss3UP7hA9Ln9DUt+Vb4ithJRhu/TTfLwJTKiFPuIzEGNA3g
1yxMG4ElnHEl+mvjoloUgT5GA7P4kOL6bn/YMQdtfsFBw53mJl/x75zEgaR7EtNp
5hnrCkju86BsD1+GS3DmYbGDeB1XeLbtYeHXkswnv2UVJUa3BildRC7u5OOFn0pe
eIg/OPDEP3PtJaCL409K4tqwoHwAvtDT3kMrdIifuX8h5rc=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=CA/OU=Host Certificate/O=Valued DataDomain customer/CN=ddmc-7.3-1.brs.lab.emc.com
issuer=/C=US/ST=CA/L=Santa Clara/O=Valued Datadomain Customer/OU=Root CA/CN=ddmc-7.3-1.brs.lab.emc.com
  1. Import the client certificate to the browser. To use the client certificate from a browser, you must import the client certificate to the browser so the browser can display the certificate before sending the request to the DDMC system. The client must provide proof of possession to the browser by providing both private and public keys. The browser validates the client using private and public keys, but only sends the client public key to the DDMC system.

Importing the CA certificate to Chromium on Ubuntu 12.04

To import a client certificate ona Chromium browser (Ubuntu 12.04):

  1. Open a Chromium browser instance.
  2. Click Edit->Preferences.
  3. Navigate to HTTPS/SSL(Manage Certificates…).
  4. Select the Your Certificates tab and click Import.
  5. Go to your client certificate directory and choose the p12 certificate file. When prompted, specify a password to decrypt the PKCS12 file.

Importing a client certificate to Safari and Chromium on a MacBook Pro Computer

  1. In the EMC_CA/certs directory, double-click the p12 certificate and follow the instructions for importing the client certificate on the MacBook.

  2. Open Keychain Access and mark the client certificate as Trust:

    1. Open Keychain Access.
    2. Select System in the top left panel and select the category My Certificates in the bottom left panel.
    3. Right click the certificate.
    4. Select Get Info.
    5. Click Trust.
    6. From the When using this certificate area, select Always Trust.
  3. Enable applications to access this certificate without requiring a password:

    1. From /Applications/Utilities, open Keychain Access.
    2. From the Keychain pane, select the System keychain.
    3. Select System in the top left panel, and select the category My Certificates in the bottom left panel.
    4. Click the arrow next to the imported certificate.
    5. Double-click the private key.
    6. From the Access Control tab, select Allow all applications to access this item.
    7. Click Save Changes and authenticate as a local administrator when prompted.

Prepare the server

To prepare the server for certificate-based authentication on a PowerProtect DDMC system:

  1. Verify that the client certificate is properly installed on the DDMC system. For example:
adminaccess certificate show imported-ca application login-auth
  1. Ensure that the username is valid on the DDMC system.

If the user is an NIS user, complete the following steps on the target DDMC system:

  1. Identify group information for the NIS user by running the following Unix/Linux shell command to query name services for the user group information. For example:
#id anjala
uid=200(anjala) gid=200(anjala) groups=200(anjala)
  1. Provide the RBAC role for the user NIS group:
# authentication nis groups add anjala role admin
  1. If there is no default value available from DHCP, ensure that the NIS server and domain information is set with the following CLI commands:
authentication nis servers add <server-list>
authentication nis domain set <domain>
  1. Enable NIS in the following way:
# authentication nis enable
# authentication nis show 
		NIS Summary: 
		Domain: datadomain.com 
		Servers: 10.25.209.6,10.25.232.17 
		Admin Groups: anjala 
		User Groups: 
		Backup Operator Groups: 
		Enabled: Yes 
		Status: Good
  1. If the user is a local user, check the user status in the following way:
# user show list
  1. If the user does not exist, add the user with the desired role by using the following command:
# user add <username> role [admin|user...]

After the server and the client are ready, try the following command to perform the certificate-based authentication:

curl --tlsv1 --cacert <path-to-dd-ca-cert>/<dd-cacert> \
     --request GET \
     --header "Content-Type: application/json" \
     --url https://<DDMC hostname>:3009/rest/v1.0/system \
     --cert <path-to-client-cert>/<client-public-cert> \
     --key <path-to-client-cert>/<client-private-key>

Use the –k option if you do not want to specify DDMC system public CA certificate:

curl --tlsv1 --request GET \
     --header "Content-Type: application/json" \
     --url https://<DDMC hostname>:3009/rest/v1.0/system \
     --cert <path-to-client-cert>/<client-public-cert> \
     --key <path-to-client-cert>/<client-private-key> -k

Note:

  • The DDMC hostname is the same as the common name in the host certificate of DDMC system because (for security purposes) the peer name must match the subject name in the DDMC host certificate.
  • The DDMC hostname must be resolvable.