第3章 Authenticating API Calls

Interaction with the Satellite API requires SSL authentication with Satellite Server CA certificate and authentication with valid Satellite user credentials. This chapter outlines the authenticating methods you can use.

3.1. SSL Authentication Overview

Red Hat Satellite uses HTTPS, which provides a degree of encryption and identity verification when communicating with a Red Hat Satellite Server. Satellite 6.8 does not support non-SSL communications.

Each Red Hat Satellite Server uses a self-signed certificate. This certificate acts as both the server certificate to verify the encryption key and the certificate authority (CA) to trust the identity of Satellite Server.

3.1.1. Configuring SSL Authentication

Use the following procedure to configure an SSL authentication for the API requests to Satellite Server.

Procedure

  1. Obtain a certificate from the Satellite Server with which you want to communicate using one of the following options:

    • If you execute the command from a remote server, obtain a certificate using SSH:

      $ scp root@satellite.example.com:/var/www/html/pub/katello-server-ca.crt ./
    • If you execute the command directly on the Satellite Server, copy the certificate to the current directory:

      $ cp /var/www/html/pub/katello-server-ca.crt ./
  2. Use the API request with the --cacert katello-server-ca.crt option to verify the identity of the Satellite Server:

    $ curl --request GET \
    --user sat_username:sat_password \
    --header "Accept:application/json" \
    --cacert katello-server-ca.crt \
    https://satellite.example.com/katello/api/organizations \
    | python -m json.tool
  3. Create a Network Security Services (NSS) database to store the katello-server-ca.crt certificate:

    $ certutil -N -d sql:$HOME/.pki/nssdb
  4. Permanently include the certificate in the NSS database:

    $ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "Red Hat Satellite" \
    -i katello-server-ca.crt
  5. Verify that the certificate is present in the NSS database by entering the API request without the --cacert option:

    $ curl --request GET \
    --user sat_username:sat_password \
    https://satellite.example.com/api/v2/hosts