Managing authentication using API Keys
Learn what API Keys are and how they can secure authentication quickly and easily.
API Keys provide a secure authentication method based on a JSON Web Token
(JWT) generated and stored by HCL Universal Orchestrator. This
authentication method provides a number of advantages, such as:
- central repository for all platforms and for multiple configurations
- improved user experience when setting up the OCLI
- API Keys life cycle completely managed using OCLI
- easier problem solving when authentication problems occur
Before you begin
Ensure you have completed the following tasks:
- You have installed an OpenID Connect (OIDC) provider and configured HCL Universal Orchestrator to work with it. To configure HCL Universal Orchestrator, fill in the relevant properties in the values.yaml file available for HCL Universal Orchestrator deployment. Comments are available in the values.yaml file to explain all properties.
- After accessing the product for the first time, configure administrative roles based on your requirements. For more information, see Managing security roles.
Issuing API Keys
You can issue API Keys using one of the following methods:
- Using the Dynamic Workload Console, as described in Authenticating the Orchestration CLI using API Keys.
- Using the REST APIs, as described in the documentation available at
, wherehttps://hostname:port/q/swagger-ui/#/
- hostname
- is the host name of the HCL Universal Orchestrator gateway.
- port
- is the port used by the HCL Universal Orchestrator gateway.
- Using the command line, as described in Authenticating Orchestration CLI using API Keys.
You can view the API Keys using the ocli model list apikey command. For more information, see list.
If an API Key is about to expire or has expired, a warning message is displayed in the command line, together with a link to generate a new API Key.
Revoking agent authorization
To revoke authorization for an agent to register and connect with HCL Universal Orchestrator, perform the following steps:
- Remove the REGISTER_AGENT administrative permissions from the ACLs for the user who installed the agent or the user who created the API Key used to register the agent. You can perform this operation from the Dynamic Workload Console, as described in Managing access control list.
- Delete the API Key.
- Open a shell session.
- Launch the ocli model script.
- Run the following command:
whereocli model delete apikey Label
- Label
- is the name of the API Key you want to delete.
For more information about the delete command, see delete.
From the Dynamic Workload Console,
you can perform the same operation as follows:
- Log in to the Dynamic Workload Console.
- Select an engine.
- Click on the User icon in the upper right corner.
- Select Manage API Keys.
- Select the API Key to be deleted.
- Click on the Delete icon.
After revoking the agent authorization, you can register the agent again by creating a new API Key, as explained in Issuing API Keys.