See below for an example to get Launchpad token from the Token Service.  These steps will walk you through how to get the token you need to ingest in the CMR UAT and Prod environments.

To get a Launchpad token, you need to create a curl command that will send the information for your PKI certificate to the Launchpad token service.  In this curl command, you'll need to include the local path to where you saved your PKI certificate to your machine.  You'll also need to include the password for your PKI certificate, which can be set up as an environment variable $pcode so it's not displayed when you enter your curl command.  Finally, you need to specify the URL of the Launchpad token service.  An example curl command will look like this:

curl -i --cert /Users/yliu10/Downloads/Modify-002888773.pfx:$pcode --cert-type P12 https://api.launchpad.nasa.gov/icam/api/sm/v1/gettoken

(Note: if you are trying to use SIT the url is to the sandbox: https://api.launchpad-sbx.nasa.gov)

The gettoken request would return something like the following:

{
	"authlevel" : 25,
	"cookiename" : "SMSESSION",
	"session_idletimeout" : 3600,
	"session_maxtimeout" : 3600,
	"sm_token" : "x3uItGz[redacted]",
	"ssozone" : "SM",
	"status" : "success",
	......
}

The sm_token is the Launchpad token.  You'll want to create a file on your local machine to store your token information for ease of use.  To ensure your token works correctly, you can validated it against the Launchpad token service.  To do so, you'll create a curl command that includes the path to your PKI certificate, the Launchpad token service URL, and the local path to the file where your token information is stored. 

curl -XPOST -v --cert-type P12  --cert /Users/yliu10/Downloads/Modify-002888773.pfx:$pcode -H "Content-Type: application/json" https://api.launchpad.nasa.gov/icam/api/sm/v1/validate -d @/Users/yliu10/Downloads/token

In this example, /Users/yliu10/Downloads/token is our file holding the Launchpad token to be validated in JSON. 

cat /Users/yliu10/Downloads/token:
{"token": "x3uItGz[redacted]"}

The validation request would return something like the following:

{
	"authlevel" : 25,
	"backupowner_auids" : [ redacted ],
	"backupowner_employeenumbers" : [ redacted ],
	"gatewaytime" : 1584114916,
	"groups" : [ "CN=ND-GG-234514-smtokenservice,OU=Application Groups,OU=Groups,OU=Administrators,DC=ndc,DC=nasa,DC=gov", "CN=nd-gg-rea-sra-allow-issuance,OU=AGICAMGroups,OU=AGICAM,OU=AG,DC=ndc,DC=nasa,DC=gov", "CN=ND-GG-SV-GS-Services,OU=Groups,OU=Administrators,DC=ndc,DC=nasa,DC=gov, " ],
	"identitytype": "service_account",
	"owner_auid" : "redacted",
	"owner_employeenumber" : "redacted",
	"owner_groups" : [ "[redacted]", cn=GSFC-CMR_INGEST_PRODUCTION,[redacted]", "cn=GSFC-CMR_INGEST_UAT,[redacted]", "[redacted]" ],
	"session_idleremaining" : 3379,
	"session_idletimeout" : 3600,
	"session_lasttime" : 1584114695,
	"session_maxremaining" : 3366,
	"session_maxtimeout" : 3600,
	"session_starttime" : 1584114682,
	"session_sourceip" : "[redacted]",
	"ssozone" : "SM",
	"status" : "success",
	......
}

or 

{
	"auid": "redacted",
	"authlevel": 40,
	"gatewaytime": 1666882286,
	"groups": [redacted],
	"identitytype": "user",
	"levelofconfidence": 40,
	"session_idleremaining": 768,
	"session_idletimeout": 900,
	"session_lasttime": 1666882154,
	"session_maxremaining": 35867,
	"session_maxtimeout": 36000,
	"session_starttime": 1666882153,
	"session_sourceip": "redacted",
	"ssozone": "SM",
    "status" : "success",
	......
}



  • No labels

5 Comments

  1. Is there a sit or uat equivalent of the https://api.launchpad.nasa.gov/icam/api/sm/v1/gettoken address shown above?

    I've tried simply inserting the appropriate signifier but get errors like

    curl: (6) Could not resolve host: api.sit.launchpad.nasa.gov; Unknown error

    when I make the attempt


    Later readers, note:

    It has been requested that nobody use the SIT endpoint, as this is hooked into the Sandbox Launchpad (see Yonggang's comment below).

  2. Both CMR UAT and PROD uses the Token Service Production endpoint: https://api.launchpad.nasa.gov/icam/api/sm/v1/gettoken, CMR SIT uses the Token Service Sandbox endpoint: https://api.launchpad-sbx.nasa.gov/icam/api/sm/v1/gettoken

  3. The above walkthrough is useful for curl implementations using OpenSSL. Some curl implementations use the Netscape Security System (NSS) instead of OpenSSL. You can check what variety of curl you have using the command "curl -V". The curl software in the excerpt below states that it uses NSS:

    $ curl -V
    curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.11 libidn/1.28 libssh2/1.8.0
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
    Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets


    For curl implementations using NSS, you can't just specify the location of the .pfx certificate in the command as shown above. Instead, you have to obtain the certificate and its associated passphrase, then either insert it into an existing NSS certificate database or create a new database and insert the certificate there. 


    The command to query the certificate directly about itself, for reference's sake, is:

    $ pk12util -l launchpad.pfx
    <Enter the certificate's passphrase when prompted>


    The commands to create a new NSS certificate database (without a password) are:

    $ mkdir /some/path/cert_db
    $ certutil -N -d /some/path/cert_db/ --empty-password



    The command to insert the certificate into an existing database is:

    $ pk12util -i /path/to/launchpad.pfx -d /some/path/cert_db
    <Enter the certificate's passphrase when prompted>



    This is the command to list the certificates in your database. You will need the name of the certificate as it appears in the database in order to use it.

    $ certutil -L -d /some/path/cert_db



    Now you have to tell curl where to look for the certificate you want (which NSS database) by exporting SSL_DIR. Consult the curl manual for more information:

    $ export SSL_DIR=/some/path/cert_db/



    After setting all of the above up, the command to get a token then becomes:

    $ curl --silent --cert <Name of the certificate in your database>  https://api.launchpad.nasa.gov/icam/api/sm/v1/gettoken



    FYI: For ease of use (e.g., among a group), note the contents of (certificates in) these databases may be used when their permissions are set to 640 (owner read/write, group read).

  4. Is there any documentation on creating the above request using Postman? That would be helpful to me. 

  5. It would also be helpful if there was documentation on how to create an environment variable.