See below for an example to get Launchpad token from the Token Service. These steps will walk you through how to get the token you need to ingest in the CMR UAT and Prod environments.
To get a Launchpad token, you need to create a curl command that will send the information for your PKI certificate to the Launchpad token service. In this curl command, you'll need to include the local path to where you saved your PKI certificate to your machine. You'll also need to include the password for your PKI certificate, which can be set up as an environment variable $pcode so it's not displayed when you enter your curl command. Finally, you need to specify the URL of the Launchpad token service. An example curl command will look like this:
curl -i --cert /Users/yliu10/Downloads/Modify-002888773.pfx:$pcode --cert-type P12 https://api.launchpad.nasa.gov/icam/api/sm/v1/gettoken
(Note: if you are trying to use SIT the url is to the sandbox: https://api.launchpad-sbx.nasa.gov)
The gettoken request would return something like the following:
{ "authlevel" : 25, "cookiename" : "SMSESSION", "session_idletimeout" : 3600, "session_maxtimeout" : 3600, "sm_token" : "x3uItGz[redacted]", "ssozone" : "SM", "status" : "success", ...... }
The sm_token is the Launchpad token. You'll want to create a file on your local machine to store your token information for ease of use. To ensure your token works correctly, you can validated it against the Launchpad token service. To do so, you'll create a curl command that includes the path to your PKI certificate, the Launchpad token service URL, and the local path to the file where your token information is stored.
curl -XPOST -v --cert-type P12 --cert /Users/yliu10/Downloads/Modify-002888773.pfx:$pcode -H "Content-Type: application/json" https://api.launchpad.nasa.gov/icam/api/sm/v1/validate -d @/Users/yliu10/Downloads/token
In this example, /Users/yliu10/Downloads/token is our file holding the Launchpad token to be validated in JSON.
cat /Users/yliu10/Downloads/token:
{"token": "x3uItGz[redacted]"}
The validation request would return something like the following:
{ "authlevel" : 25, "backupowner_auids" : [ redacted ], "backupowner_employeenumbers" : [ redacted ], "gatewaytime" : 1584114916, "groups" : [ "CN=ND-GG-234514-smtokenservice,OU=Application Groups,OU=Groups,OU=Administrators,DC=ndc,DC=nasa,DC=gov", "CN=nd-gg-rea-sra-allow-issuance,OU=AGICAMGroups,OU=AGICAM,OU=AG,DC=ndc,DC=nasa,DC=gov", "CN=ND-GG-SV-GS-Services,OU=Groups,OU=Administrators,DC=ndc,DC=nasa,DC=gov, " ], "identitytype": "service_account", "owner_auid" : "redacted", "owner_employeenumber" : "redacted", "owner_groups" : [ "[redacted]", cn=GSFC-CMR_INGEST_PRODUCTION,[redacted]", "cn=GSFC-CMR_INGEST_UAT,[redacted]", "[redacted]" ], "session_idleremaining" : 3379, "session_idletimeout" : 3600, "session_lasttime" : 1584114695, "session_maxremaining" : 3366, "session_maxtimeout" : 3600, "session_starttime" : 1584114682, "session_sourceip" : "[redacted]", "ssozone" : "SM", "status" : "success", ...... }
or
{ "auid": "redacted", "authlevel": 40, "gatewaytime": 1666882286, "groups": [redacted], "identitytype": "user", "levelofconfidence": 40, "session_idleremaining": 768, "session_idletimeout": 900, "session_lasttime": 1666882154, "session_maxremaining": 35867, "session_maxtimeout": 36000, "session_starttime": 1666882153, "session_sourceip": "redacted", "ssozone": "SM", "status" : "success", ...... }
5 Comments
Shannon Flynn
Is there a
sit
oruat
equivalent of the https://api.launchpad.nasa.gov/icam/api/sm/v1/gettoken address shown above?I've tried simply inserting the appropriate signifier but get errors like
when I make the attempt
Later readers, note:
It has been requested that nobody use the SIT endpoint, as this is hooked into the Sandbox Launchpad (see Yonggang's comment below).
Yonggang Liu
Both CMR UAT and PROD uses the Token Service Production endpoint: https://api.launchpad.nasa.gov/icam/api/sm/v1/gettoken, CMR SIT uses the Token Service Sandbox endpoint: https://api.launchpad-sbx.nasa.gov/icam/api/sm/v1/gettoken
Shannon Flynn
The above walkthrough is useful for curl implementations using OpenSSL. Some curl implementations use the Netscape Security System (NSS) instead of OpenSSL. You can check what variety of curl you have using the command "curl -V". The curl software in the excerpt below states that it uses NSS:
For curl implementations using NSS, you can't just specify the location of the .pfx certificate in the command as shown above. Instead, you have to obtain the certificate and its associated passphrase, then either insert it into an existing NSS certificate database or create a new database and insert the certificate there.
The command to query the certificate directly about itself, for reference's sake, is:
The commands to create a new NSS certificate database (without a password) are:
The command to insert the certificate into an existing database is:
This is the command to list the certificates in your database. You will need the name of the certificate as it appears in the database in order to use it.
Now you have to tell curl where to look for the certificate you want (which NSS database) by exporting SSL_DIR. Consult the curl manual for more information:
After setting all of the above up, the command to get a token then becomes:
$ curl --silent --cert <Name of the certificate in your database> https://api.launchpad.nasa.gov/icam/api/sm/v1/gettoken
FYI: For ease of use (e.g., among a group), note the contents of (certificates in) these databases may be used when their permissions are set to 640 (owner read/write, group read).
Tyler Stevens
Is there any documentation on creating the above request using Postman? That would be helpful to me.
Tyler Stevens
It would also be helpful if there was documentation on how to create an environment variable.