Change the Authentication Provider for the Admin API

You access  by way of an authentication token. You can obtain a dynamic authentication token using the @authentication resource endpoint or you can create a static one so that you can roll back if you get errors. The procedures in this article show how you can create a static authentication token so that you can roll back if you get errors.
lac52
The information contained in this article is for advanced users.
You access 
CA Live API Creator
 by way of an authentication token. You can obtain a dynamic authentication token using the 
@authentication
 resource endpoint or you can create a static one so that you can roll back if you get errors. The procedures in this article show how you can create a static authentication token so that you can roll back if you get errors.
After you change the authentication provider for the CA Live API Creator Admin API (Admin API), you can log in to API Creator and open the API. The log in is through this authentication provider. If you get errors, you can roll back to the default authentication provider.
For more information about how to obtain a dynamic authentication token, see Obtain and Use Authentication Tokens.
In this article:
 
 
Verify the Prerequisites
If you want the Admin API to use a custom Lightweight Directory Access Protocol (LDAP) JavaScript authentication provider, you have defined the custom LDAP authentication provider.
For more information about how to define an LDAP authentication provider, see Authenticate API Users using an LDAP Authentication Provider.
Create a Static Authentication Token for the Admin API
Create the static authentication token that you will use to retrieve the authentication provider information.
Follow these steps:
 
  1. Log in to API Creator as the system administrator (
    sa
    ) user.
    The System Administration Login dialog appears.
  2. Cancel the license dialog by pressing the ESC key on your keyboard.
    You are logged in to API Creator.
  3. Open the Admin API.
  4. Obtain an authentication token using API Creator by completing the following steps:
    1. In the Secure section, click 
      Auth Tokens
      .
    2. Click 
      Add
      .
    3. Enter values for the fields on the page and then save your changes.
      For more information about the other fields on this page, see Configure Authentication.
    The authentication token is created.
  5. Define the authentication token's expiration date:
    1. Click the 
      Details
       tab.
      The Details page appears.
    2. Define that this authentication token should expire after one day. In the 
      Expiration
       field, enter the date using the following format:
      yyyy-mm-dd[ -tT]hh[-.:]mm[-.:]ss[-.:]
      Example:
       
      2016-11-21 23:59:59
    3. Save your changes.
The authentication token is created and the expiration defined.
Test the Static Authentication Token
Test the authentication token that you created by using it to call the Admin API. The following request includes the 
Authorization
 HTTP header that identifies and authenticates the call.
Using cURL command line, issue the following command:
curl
-H "Authorization:CALiveAPICreator <AUTH_TOKEN>:1" \
-X GET "http://hostname:port/rest/abl/admin/v2/admin:authproviders"
Example:
 
curl
-H "Authorization:CALiveAPICreator 9medUxDlZvibZaeDmqga:1" \
-X GET "http://hostname:port/rest/abl/admin/v2/admin:authproviders"
The following response is expected:
[
{
"ident": 2,
"ts": "2015-11-04T18:25:54.072092Z",
"name": "sa",
"fullname": "System Admin",
"email": "[email protected]",
"status": "A",
"roles": "System administrator",
"data": null,
"comments": null,
"apikey_lifespan": null,
"password_hash": "jA0D60fG+sB310w9MpLVEah/lg/f9aJCnDcPtl14ho55o6koI0zZ+cpxQiwdHFvUuzEF4byogjJ/wV9sbSJp5w==",
"password_salt": "QH7FeE7frVejG1E4KSlU0Q==",
"project_ident": 3,
}
]
The authentication token is verified.
Create an Admin Authentication Provider and Assign it to the Admin API
You create a custom admin JavaScript authentication provider by creating the authentication provider, and then specifying it as the authentication provider for the Admin API. You can also specify a custom LDAP JavaScript authentication providers as the authentication provider for the Admin API.
Specifying a custom admin JavaScript authentication provider as the authentication provider for the Admin API can make system administration and API management unrecoverable.
Specify an LDAP Authentication Provider as the Authentication Provider for the Admin API
CA Live API Creator
 is based on itself. You can authenticate the system administrator (
sa
) user and other TeamSpace users by specifying your LDAP authentication provider as the authentication provider for the Admin API. This replaces the default authentication provider, the 
TeamSpace Auth Provider
 for the Admin API.
Best Practice:
 To simplify debugging your LDAP authentication provider, before you specifying your LDAP authentication provider as the authentication provider for the Admin API, we recommend that you develop and test it.
Follow these steps:
 
  1. Open the Admin API and map your LDAP authentication provider to the 
    Account admin
     and the 
    Account reader
     roles. These are mandatory roles that 
    CA Live API Creator
     expects.
     If you define other roles in the Admin API, map the authentication provider to these roles as well.
  2. Determine the TeamSpace to which the 
    sa
     or TeamSpace user belongs by completing the following steps:
    1. If the 
      sa
       user has defined multiple TeamSpaces in 
      CA Live API Creator
      , from your LDAP information, determine which data maps to your TeamSpace.
    2. Specify the TeamSpace user's TeamSpace in the 
      userInfo
       variable of the response object, for example:
      authResponse.userInfo = {typeOfPerson: 'Cool', teamSpaceUrlFragment: 'default'};
      The 
      teamSpaceUrlFragment
       field is required for TeamSpace users. This field indicates to which TeamSpace the TeamSpace user has access. To determine its value, look at the URL when using an API in that TeamSpace. For example, you can use the REST Lab. In the following example URL, the URL fragment is 
      default
      :
      http://localhost:8080/rest/default/MyAPI/v1/mydb:widgets
If your authentication provider does not work properly, you can switch it back to the default 
TeamSpace Auth Provider
 authentication provider.
Complete the following steps:
 
  1. Stopping API Server.
  2. Update the 
    ${HOME}/CALiveAPICreator.repository/system/authProviderName.json
     file to:
    {
    "authProviderName": "TeamSpace Auth Provider"
    }
    For more information about the 
    authProviderName.json
     file, see View your API Definition.
  3. Restart API Server.
Test your Admin Authentication Provider using cURL
Using cURL command line, test your admin authentication provider, for example:
curl -H "Content-Type: application/json" .....
Delete the Static Authentication Token
Delete the authentication token that you created (or let it expire).