You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Overview

Currently, users must authenticate with their Earthdata Login information in order to ingest metadata into CMR.  In the coming months, NASA has mandated that CMR require users to authenticate using Launchpad (NASA's single sign-on service) in order to ingest new metadata, update existing metadata, or delete metadata from CMR.  This requirement holds true for users who use a browser-based interface like MMT to ingest, as well as users who ingest programmatically through the CMR REST APIs.

ALL ingest users will need to update their workflows to accommodate these changes.

Timeline

The migration from URS to Launchpad Authentication will have three phases:

Phase 1:  Current Implementation
Currently, all ingest users can authenticate using Earthdata Login credentials, but cannot authenticate using Launchpad.

Phase 2:  Earthdata Login and Launchpad Both Enabled
When Phase 2 begins, the MMT will offer users the option to authenticate with both URS and Launchpad credentials.  Similarly, the CMR REST APIs will accept both URS and Launchpad tokens for authentication during this time.  During this period, the CMR and MMT teams will communicate the full transition plan to our users.  It is our hope that during this phase, all users will undergo the steps necessary to enable Launchpad authentication for themselves, in preparation of Phase 3 when Earthdata Login credentials will no longer be accepted for ingest requests.

We are prototyping this phase in Q4 2019 with a few select pathfinder users.  We will formally enter this phase for all users sometime in early 2020, though an exact date has not been determined.

Phase 3:  Launchpad Authentication Only
When we transition to Phase 3, the MMT will stop offering users the ability to log in using their Earthdata Login credentials, and the CMR REST APIs will stop accepting Earthdata Login tokens for ingest requests.  All users must be fully compliant with the Launchpad Authentication process at this time, or you will not be able to ingest, update, or delete metadata.

We do not have a date for when we will enter Phase 3.

Launchpad Authentication via MMT

Alicia, all you.

Launchpad Authentication via CMR REST APIs

In order to successfully ingest metadata via the CMR REST APIs, your ingest client will need to provide CMR with a Launchpad Authentication token in the ingest request.  The exact method of procuring this token may vary based on how your center's ingest client has been built, but we will attempt to provide some best practices and examples to help everyone become compliant.  Your center will need a Service Account and a PKI Certificate in order to procure the Launchpad token, and we recommend that a single person at your center be responsible for owning the Service Account and PKI Certificate.  We will refer to this owner as the Launchpad Champion in this documentation.

Your Launchpad Champion will need to take the following steps:

  1. Create the token service Service Account for your center:
    1. Go to idmax.nasa.gov and submit a request for “AGCY0031 Active Directory Service Account”
    2. Set the Asset Expiration Date to 12/31/2029
    3. In the Business Justification field, enter the name of the provider you are representing and indicate that this request is for Launchpad Authentication
  2. Obtain a PKI Certificate, using the steps on the linked wiki page.  Note that you must have your Service Account from Step 1 before you can request the PKI Certificate.
  3. Request Authorization to Authenticate with Launchpad:
    1. Go to https://idmax.nasa.gov and on the top menu under Credentials, choose “Manage Application Service Accounts”
    2. Choose Manage NCAD Service Accounts
    3. Select the account you want and click the “Request Role Access” for it
    4. Search for “Launchpad Token Service”
    5. Submit for the SiteMinder Token Service role

Once these setup steps are complete, you will have a PFX file and a passcode issued by the PKI group.  Your ingest client can then be configured to request a Launchpad token from the Token Service, which can be passed to CMR during your ingest request.  This will likely require code changes to your ingest client.  We've provided some code samples below that may help you make these code changes, and the CMR team is available to assist by email at cmr-support@earthdata.nasa.gov or by posting in the #cmr_community_dev public channel on the EOSDIS Slack instance.

Example Code for Requesting Launchpad Token

Once you obtain a Launchpad token using your ingest client, that token can be passed to CMR in the request header in place of the Earthdata Login token you are currently passing.  Below is an example curl command to ingest a collection into the CMR UAT environment using your Launchpad token:

curl -i -XPUT -H "Content-Type:application/echo10+xml" -H "Cmr-pretty:true" -H "Expect:" -H "Echo-Token:  PTeS3MMKY9xtG4RlWGo[redacted]" https://cmr.uat.earthdata.nasa.gov/ingest/providers/PROV1/collections/coll1 -d @/Users/yliu10/coll1.xml
  • No labels