Sunday, July 22, 2018

Ansible REST API - Interacting with Cisco FirePower Management Center (FMC) - 05 - Request Access Token

This post belongs to my "Ansible REST API - Interacting with Cisco FMC" series. The following is the table of content of this series:
  1. Introduction and Ansible playbook download
  2. Script flow charts
  3. Introduction of REST API and Cisco FMC API Explorer
  4. Script prerequisites
  5. Request Access Token
  6. Get policy content, modify content and "PUT' in FMC - Part 1
  7. Get policy content, modify content and "PUT' in FMC - Part 2 
  8. Get deployable devices and deploy policy

In the last post, I described the prerequisites for our main task playbook. Now, we can start writing the main task yml file in "/etc/ansible/roles/FMC-enable-policyrule/tasks/main.yml".

First of all, we need to be authenticated by the FMC server. Different systems have different authentication methods for REST API calls. Some of them require user to provide username/password for every call. For FMC, it uses Token Based Authentication mechanism for API users. The following shows the message flows for obtaining and using the access token:


Click to Expand
The API user will initial a "POST" call to the Cisco FMC with username/password information (of course, this API call is encrypted by https). FMC will verify the login details and if the username/password is valid, it will reply the API user with the "x_auth_access_token" and status_code of "204" (regrading to the REST return code, please refer to my another post "REST API 101". 

In the following API calls, the API user can use this "x_auth_access_token" in the header field and no need to provide username/password again in the whole token life cycle.

location: /etc/ansible/roles/FMC-enable-policyrule/tasks/main.yml

---
  - name: POST
    uri:
      url: "https://{{FMC_IP}}/api/fmc_platform/v1/auth/generatetoken"
      method: POST
      user: "{{username}}"
      password: "{{password}}"
      validate_certs: no
      force_basic_auth: yes
      status_code: 204

    register: token


In this "POST" call, we specific the url, username, password and define "force_basic_auth" as "yes". By default, Ansible will use "200" as status return code if it's not specified. In our case, FMC will send "204" as return code so we need to specific it here as well.  

And the following shows the reply from the FMC server. And the highlighted line is the "x_auth_access_token" we need. 


 "token": {
        "accept_ranges": "bytes",
        "cache_control": "no-cache, no-store, must-revalidate, max-age=0",
        "changed": false,
        "connection": "close",
        "content_length": "0",
        "cookies": {},
        "date": "Thu, 21 Jun 2018 12:15:45 GMT",
        "domain_id": "111",
        "domain_uuid": "e276abec-e0f2-11e3-8169-6d9ed49b625f",
        "domains": "[{\"name\":\"Global\",\"uuid\":\"e276abec-e0f2-11e3-8169-6d9ed49b625f\"}, {\"name\":\"Global/Sydney\",\"uuid\":\"dd731f3e-8297-5b05-7ac3-000000000001\"}]",
        "failed": false,
        "global": "e276abec-e0f2-11e3-8169-6d9ed49b625f",
        "msg": "OK (0 bytes)",
        "redirected": false,
        "server": "Apache",
        "status": 204,
        "url": "https://192.168.1.205/api/fmc_platform/v1/auth/generatetoken",
        "user_uuid": "2bd20b46-708d-11e8-bc24-cd319511305b",
        "vary": "Accept-Charset,Accept-Encoding,Accept-Language,Accept",
        "x_auth_access_token": "a7103106-380d-4593-8184-044e8b2ea7fe",
        "x_auth_refresh_token": "042d27db-fa8e-435c-9250-3926f2841445",
        "x_frame_options": "SAMEORIGIN"
    }
}


Next, we need to set a new available ("acc_token") and assign this access token to it.

location: /etc/ansible/roles/FMC-enable-policyrule/tasks/main.yml


  - name: get token
    set_fact:
      acc_token: "{{token.x_auth_access_token}}"


In the next post, I will show you the most important part of this play book - how to modify the policy content of the existing access policy

Reference:

No comments:

Post a Comment

NSX Load Balancer "Application Rules" Examples:

Load Balancing is one of the features provided by the NSX Edge Services Gateway (ESG). It can provide L7 Load Balancing by utilizing the HA...