Skip to main content

REST APIs for 22.2

Session Credentials

While API Keys provide a persistent means of authenticating with the PCE, session credentials provide a temporary means of authenticating so you can make Illumio REST API calls.

Important

Any tooling that parses the HTTP headers should be changed to allow case-insensitive header name matching in order to retain compatibility with future PCE releases. Refer to RFC 7230, section 3.2, "Header Fields," which states that field names should be case insensitive.

Choose a session token or an API key depending on your programming needs.

Session Credentials and Tokens

When you create session credentials, an auth_username and session token are returned that function as a temporary username and password for making API calls.

Session credentials are used to make all Illumio REST API calls that require authentication and are composed of an auth_username and a token. They expire after not being used for 30 minutes and reset for another 30 minutes if used within the 30-minute window.

The session token expires after 10 minutes of inactivity.

When to Use a Session Token

An auth_username and session token are useful for a one-time use of the API or for testing the API. To write a script that performs a one-time use of the API with a session token, use the Login API to create the auth_username and session token. Use those credentials for making other API calls in the script, and then once the script has run, the session token immediately expires when the user logs out.

What Does a Session Token Look Like?

When you authenticate with the PCE using the Login API, the response returns the credentials needed to make other API calls:

  • Your username: "auth_username": user_3

  • Your session token: "session_token":"xxxxxxx563199f92af7b705ddca26854205b5233"

To use the Illumio REST API:

  1. Call login_users/authenticate using the e-mail address and password you used to create your PCE account to obtain an authentication token.

    Note

    The authorization token expires after 30 seconds, so have the next call formed and ready to paste onto the terminal window before calling login_users/authenticate.

  2. Call users/login with the authentication token to obtain temporary session credentials.

Authenticate to Login Service

Before you can use the Illumio REST API to access the PCE, you need to use the Login Users API to authenticate with the Illumio Login Service and obtain an authentication token. This authentication token expires in 30 seconds.

The URL for the Illumio Login Service for Illumio Core Cloud users is:

  • Login Server: https://login.illum.io:443

  • PCE: scp1.illum.io

For SaaS customers the PCE URL can be different based upon their SaaS PCE:

  • SCP1 & SCP2 (US)

  • SCP3 UK only

  • SCP4 APAC

  • SCP5 (EMEA)

If you have deployed the PCE as software, then the hostname for the PCE is the value you defined for the 'pce_fqdn' parameter in the runtime_env.yml file.

Once obtained, you can then pass the authentication token to the PCE you want to access using the Login API. Once you have authenticated with the PCE and obtained a session token, you can make other API calls or Create an API Key for persistent API access to the PCE.

URI to Authenticate with the Login Service

POST [api_version]/login_users/authenticate
Create an Authentication Token for the Login Service

To create an authentication token and authenticate with the Login Service, you need to specify the Fully Qualified Domain Name (FQDN) of the PCE you want to access in the call.

Parameter

Description

Type

Required

pce_fqdn

Fully Qualified Domain Name (FQDN) of the PCE

If you are using Illumio Core Cloud, then the

FQDN for the PCE is scp1.illum.io.

If you have deployed the PCE virtual appliance in your own network,

then use the FQDN specified during installation of the PCE virtual appliance.

String

Yes

Curl Commands for Authentication

When you received your invitation, you used an e-mail and password to create your PCE account. Use these credentials now to make a call to authenticate.

If you haven't received an invitation, contact your Illumio administrator.

Example (local users only, use SAML ID for remote users):

You also need the FQDN of the Login Server plus the FQDN of the PCE host you want to access:

  • The Login Server FQDN for Illumio Core Cloud users is https://login.illum.io:443

  • The PCE FQDN is scp1.illum.io

Note

The authorization token that is returned (auth_token) expires after being idle for 30 seconds, so be ready to call GET users/login to create session credentials immediately after making the call to login_users/authenticate.

Retrieve a Token

This curl example shows how SaaS local users can use the Illumio Login Service (SAML ID for Remote Users)

curl -i -X POST https://login.illum.io:443/api/v2/login_users/authenticate?pce_fqdn=scp1.illum.io -u [email protected]:'password' -H "Content-Type: application/json"

Illumio on-premises solutions do not use a login server, so the curl command will look like this:

curl -i -X POST -u [email protected]:password https://pce.my-company.com:8443/api/v2/login_users/authenticate?pce_fqdn=pce.my-company.com -H "Content-Type: application/json"

Response Body to Authenticate with Login Service

The response for the Login Users API is an authentication token (in blue font):

{ "auth_token":"xxxxxxxxxxxxxxxxxxxxxw89QutJ5WLntqz5jUrI2guA1rZJXKfcbwuF" }
Use Login API to Create Session Credentials

Unless you're using persistent API credentials, every time you want to access the Illumio REST API, you must authenticate with the PCE using an auth username and a session token. To create these session credentials, call GET /users/login with the authentication token previously returned by a call to POST /login_users/authenticate.

URI

GET [api_version]/users/login
Parameters

Login Service authentication token you obtained using the Login Users API.

Login Users API JSON Schema

This API uses the Illumio Core schema users_login_get.schema.json.

Create Session Token
curl -i -X GET https://pce.my-company.com:8443/api/v2/users/login -H "Authorization: Token token=ntqz5jUrI2guA1XzUiLCJlbmMiOiJBMTI4Q0JDLUhZJ"
Response Body

GET /users/login returns a temporary auth_username and session_tokes shown below in blue. These are used in the curl examples as $KEY:$TOKEN respectively (if you're not using persistent API credentials).

Example: -u user_4:'xxxxxxxx628f5773c47b72dbcd437b4a10d85a06a'

{
    "full_name": "Buford T. Justice",
    "local": true,
    "type": "local",
    "href": "/users/4",
    "auth_username": "user_4",
    "inactivity_expiration_minutes": 10,
    "start": "2017-10-12 16:49:49 UTC",
    "time_zone": "America/Los_Angeles",
    "last_login_ip_address": "209.37.96.18",
    "last_login_on": "2020-10-12T16:49:49.000Z",
    "certificate": {
        "expiration": "2020-11-27T03:09:00.000Z",
        "generated": false
    },
    "login_url": "https://devtest166.ilabs.io:8443/login",
    "orgs": [
        {
            "org_id": 1,
            "org_href": "/orgs/1",
            "display_name": "illum.io",
            "role_scopes": [
                {
                    "role": {
                        "href": "/orgs/1/roles/owner"
                    },
                    "scope": [],
                    "href": "/orgs/1/users/4/role_scopes/4"
                }
            ]
        }
    ],
    "session_token": "xxxxxxxx628f5773c47b72dbcd437b4a10d85a0",
    "version_tag": "60.1.0-9701f78bef46f521e3d6dd98f70cd8c220940885",
    "version_date": "Tue Sep 12 11:12:46 2020 -0700",
    "product_version": {
        "version": "17.1.1",
        "build": "6168",
        "long_display": "17.1.1-6168",
        "short_display": "17.1.1"
    }
}
API Call Using Session Credentials

Once you obtain an auth_username and session token from the PCE, you use them to make API calls.

For example, if you wanted to use this session token to get a collection of labels in an organization using the Labels API, the curl command can be written as shown below, using the following authentication:

  • auth_username: user_3

  • Session Token: xxxxxxx563199f92af7b705ddca26854205b5233

curl -i -X GET https://pce.my-company.com:8443/api/v2/orgs/3/labels -H "Accept: application/json" -u user4:'xxxxxxxx628f5773c47b72dbcd437b4a10d85'
Optional Features

This API was introduced to help avoid issues with misconfigured DNS, which can cause problems with VEN connectivity. Likewise, misconfiguring DHCP can cause problems with IP addresses.

You need a key to invoke /optional_features API to enable editable_dns_client_rule or editable_dhcp_client_rule. Such a key involves a portion that is tightly controlled so that it cannot be randomly generated.

Once the key is generated, it cannot be used in more than one place, which means that an API call provided to customer #1 cannot be replayed at customer #2 who must request their own key.

An example of the generated key:

secret = 
		'...'   # value embedded in code 
 
data = Base64.strict_encode64({ 
	'pce_fqdn'   => Illumio::RuntimeEnvironment.pce_fqdn, 
	'org_id'   => xorg_id, 
	'optional_feature'   => 
		'editable_dns_client_rule' , 
	'not_valid_after'   => Time.now.utc.iso8601 
}) 
 
key = data + OpenSSL::HMAC.hexdigest( 'SHA256' , secret, data)

A new schema as well as two endpoints were added.

Get the optional features collection

  • optional_feature.schema.json

  • optional_features_get

Set the optional features for an organization

  • optional_features_put

PUT /orgs/ 1 /optional_features 
[ 
    { "name" : 
        "editable_dns_client_rule,"enabled":true, key":<key as generated above>} 
]
See also: