Chapter 3. Authenticating API Calls

Interaction with the Satellite API requires authentication. You can download the Satellite Server CA certificate to your local host for use in each API request to provide SSL authentication. Each API request also requires a valid user name and password. Each of these is discussed in the following sections.

3.1. Using SSL Authentication

Red Hat Satellite uses HTTPS, which provides a degree of encryption and identity verification when communicating with a Red Hat Satellite Server. Non-SSL communications are not supported by Satellite 6.
Each Red Hat Satellite Server uses a self signed certificate. This certificate acts as both the server certificate to verify the encryption key and the certificate authority (CA) to trust the identity of the Satellite Server. The following steps show how to set up a SSL authentication for the Satellite Server (in this case satellite6.example.com):
  1. Obtain a certificate from the Satellite Server with which you want to communicate (satellite6.example.com) using one of the following options:
    1. To obtain a certificate using SSH, run the following command:
      $ scp root@satellite6.example.com:/var/www/html/pub/katello-server-ca.crt ./
    2. If you execute the command directly on the Satellite Server, obtain a certificate from the locally available copy by running the following command:
      $ cp /var/www/html/pub/katello-server-ca.crt ./
    3. To obtain a certificate using HTTP, run the following command:
      $ curl -O http://satellite6.example.com/pub/katello-server-ca.crt

      Warning

      Retrieving a certificate using an unencrypted HTTP connection might present a security risk.
  2. Use the certificate on your client as a certificate authority to verify the identity of the Satellite Server:
    $ curl -X GET -u sat_username:sat_password \
    -H "Accept:application/json" --cacert katello-server-ca.crt \
    https://satellite6.example.com/katello/api/organizations
    GET is the default action and therefore -X GET attribute can be omitted here.
  3. Create a Network Security Services (NSS) database to store the certificate:
    $ certutil -N -d sql:$HOME/.pki/nssdb
    Enter a password which will be used to encrypt your keys.
    The password should be at least 8 characters long,
    and should contain at least one non-alphabetic character.
    
    Enter new password:
    Re-enter password:
    If the NSS database already exists you will be prompted for the password as follows:
    Enter Password or Pin for "NSS Certificate DB":
  4. Use the following command to permanently include the certificate in the NSS database:
    $ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "Red Hat Satellite" \
    -i katello-server-ca.crt
    This imports the certificate into the NSS database, which means you can omit the --cacert option for each request. You can test this as follows:
    $ curl -X GET -u sat_username:sat_password https://satellite6.example.com/api/v2/hosts
    {
        "total": 2,
        ...,
        "results": [
            ...
        ]
    }
    output omitted