API Explorer
API Explorer
Introduction
What's New
Appliance Management
Application Data Management
Asset Management
Asset Metadata
Authentication and Authorization
Cloud Disaster Recovery
Compliance
Copy Management
Credentials Management
Discovery
File Level Restore
Installation
Inventory Source Management
Kubernetes Data Management
Licenses Management
Location Management
Log Management
Monitoring
Protection Policies
Recovery and Reuse Management
Remote Service
Search Clusters
Secrets Manager
Server Disaster Recovery
Storage Management
Telemetry Setting
Upgrade
User Security Management
Virtual Machine Data Management
Whitelist Management

Certificate for REST APIs

PowerProtect Data Manager provides a self-signed certificate by default. The self-signed certificate is not trusted by external systems by default and may block you from using the REST APIs because of security warnings from the HTTP client. This tutorial introduces two ways to resolve this issue.

Trust the PowerProtect Data Manager ceritifcate (recommended)

There are two ways to trust the ceritifcate.

Install a certificate that is already trusted in your system

If you already have a certificate authority (CA) that is trusted in your organization, consider replacing the default self-signed certificate in PowerProtect Data manager with your own trusted certificate.

To replace the default self-signed certificate with a certificate that is already trusted in your IT infrastructure, follow the steps for replacing the default PowerProtect Data Manager certificate in the PowerProtect Data Manager Administration and User Guide.

Trust the PowerProtect Data Manager root CA

Most HTTP clients have their own trusted CA management. Follow the guidelines for those clients to install the PowerProtect Data Manager root CA into the corresponding trusted area.

The PowerProtect Data Manager root CA can be located here:

/etc/ssl/certificates/rootca/rootca.pem

If you are using the client URL (cURL) command line, you can specify your own CA certification path with the --cacert option. For example:

curl --cacert /etc/ssl/certificates/rootca/rootca.pem \
  --request POST \
  --url https://<your-ppdm-server>:8443/api/v2/login \
  --header 'content-type: application/json' \
  --data '{"username":"<your-user-name>","password":"<your-password>"}'

Ingore the certificate not trusted warning (nonproduction activities only)

Most HTTP clients provide an option to turn off SSL certificate verification.

To log in to the system, you can use this cURL command:

curl --request POST \
  --url https://<your-ppdm-server>:8443/api/v2/login \
  --header 'content-type: application/json' \
  --data '{"username":"<your-user-name>","password":"<your-password>"}'

If you have not trusted the PowerProtect Data Manager root CA, you are blocked by the following response from cURL:

curl: (60) SSL certificate problem: self signed certificate in certificate chain.

More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

For nonproduction activities such as test and debug, you can use the -k option to bypass the certificate verification.

curl -k --request POST \
  --url https://<your-ppdm-server>:8443/api/v2/login \
  --header 'content-type: application/json' \
  --data '{"username":"<your-user-name>","password":"<your-password>"}'

Then the response is OK.

CAUTION: Ignoring the certificate is risky because it enables man-in-the-middle attacks that can sniff your traffic (in this case, the password). Ensure that you use this method only in a safe network environment.