Currently, users must authenticate with their Earthdata Login information in order to ingest metadata into CMR. NASA has mandated that CMR require users to authenticate using Launchpad (NASA's single sign-on service) in order to ingest new metadata, update existing metadata, or delete metadata from CMR. This requirement holds true for users who use a browser-based interface like the MMT to ingest and manage metadata holdings, as well as users who ingest metadata programmatically through the CMR REST APIs.
ALL CMR ingest and MMT users will need to update their workflows to accommodate these changes.
This document outlines the process for migrating providers' ingest operations from Earthdata Login to Launchpad authentication for the CMR and the MMT. For information on setting up Launchpad authentication for Cumulus deployments, go here: Cumulus Launchpad Authentication
The migration from URS to Launchpad Authentication will have three phases:
Phase 1: Earthdata Login Only
All CMR ingest and MMT users can authenticate using Earthdata Login credentials, but cannot authenticate using Launchpad.
Phase 2: Earthdata Login and Launchpad Both Enabled (Current Implementation)
During Phase 2, the MMT will offer users the option to authenticate with both URS and Launchpad credentials. Similarly, the CMR REST APIs will accept both URS and Launchpad tokens for authentication during this time. During this period, the CMR and MMT teams will communicate the full transition plan to our users. It is our hope that during this phase, all users will undergo the steps necessary to enable Launchpad authentication for themselves, in preparation of Phase 3 when Earthdata Login credentials will no longer be accepted for CMR ingest requests and access to the MMT.
Phase 3: Launchpad Authentication Only
When we transition to Phase 3, the MMT will stop offering users the ability to log in using their Earthdata Login credentials, and the CMR REST APIs will stop accepting Earthdata Login tokens for ingest requests. All users must be fully compliant with the Launchpad Authentication process at this time, or you will not be able to ingest, update, or delete metadata using the CMR REST API or access the MMT.
To authenticate to either MMT or to CMR using Launchpad credentials, each user will first need to submit a NAMS request for be permitted to authentication to CMR, then a MMT NAMS request to be permitted to ingest via MMT, if appropriate.
Once the NAMS requests are approved and your account has been provisioned, each user will need to link their Earthdata Login account to their Launchpad account.
Step 1: Submit the CMR NAMS request
Step 2: Submit the MMT NAMS request
For ingest access in the SIT or UAT environments, separate NAMS requests must be submitted following the same process described in steps 1 and 2 above. The table below shows the NAMS requests required for all environments:
SIT (CMR Application Developers Only) | UAT | PROD | |
---|---|---|---|
CMR NAMS Request | GSFC ESDIS CMR SIT (CLISIT)* | GSFC ESDIS CMR UAT (CLIUAT) | GSFC ESDIS CMR PROD (CLIPROD) |
MMT NAMS Request | GSFC ESDIS Metadata Management Tool (MMT) SIT* | GSFC ESDIS Metadata Management Tool (MMT) UAT | GSFC ESDIS Metadata Management Tool (MMT) |
Launchpad access to the SIT environment is restricted to CMR application developers. Please contact CMR OPS if you require Launchpad access to CMR-SIT: cmr-support@earthdata.nasa.gov Submit NAMS requests for SIT via https://idmaxsupport.nasa.gov/ |
Step 3: Link your MMT account with your Launchpad credentials
Once your CMR and MMT NAMS requests has been approved and your account has been provisioned, your Launchpad credentials can be used to access the MMT by selecting the "Login with Launchpad" button on the MMT home page:
After entering your Earthdata Login credentials, the MMT will then automatically associate your existing provider permissions with your Launchpad account.
In order to successfully ingest metadata via the CMR REST APIs, your ingest client will need to provide CMR with a Launchpad Authentication token in the ingest request. The exact method of procuring this token may vary based on how your provider's ingest client has been built, but we will attempt to provide some best practices and examples to help everyone become compliant. Your provider will need a Service Account and a PKI Certificate in order to procure the Launchpad token, and we recommend that a single person with your provider be responsible for owning the Service Account and PKI Certificate. We will refer to this owner as the Launchpad Champion in this documentation.
It is OK for a DAAC to have multiple Service Accounts AND it is okay for a DAAC to share a Service Account with their DAAC team. There is no set number of Service Accounts required of a DAAC. If you need to transfer ownership of the NAMS Service Account, the new account owner will need to submit NAMS requests for CMR Ingest access via Launchpad (see CMR NAMS request instructions below). You may also need to update your client configurations in order to avoid breaking your ingest workflows. |
Every user in your provider who needs to ingest metadata will need to submit the following NAMS request for CMR Ingest access via Launchpad:
CMR NAMS request (This is the same process detailed above for MMT users - if you have completed this request already, you do not need to do it again)
In addition, to get the provider set up for ingest, your Launchpad Champion will need to take the following steps:
Once these setup steps are complete, you will have a PFX file and a passcode issued by the PKI group. Your ingest client can then be configured to request a Launchpad token from the Token Service, which can be passed to CMR during your ingest request. This will likely require code changes to your ingest client. We've provided some code samples below that may help you make these code changes, and the CMR team is available to assist by email at cmr-support@earthdata.nasa.gov or by posting in the #cmr public channel on the EOSDIS Slack instance.
Example Code for Requesting Launchpad Token
Once you obtain a Launchpad token using your ingest client, that token can be passed to CMR in the request header in place of the Earthdata Login token you are currently passing. Below is an example curl command to ingest a collection into the CMR UAT environment using your Launchpad token:
curl -i -XPUT -H "Content-Type:application/echo10+xml" -H "Cmr-pretty:true" -H "Expect:" -H "Authorization: PTeS3MMKY9xtG4RlWGo[redacted]" https://cmr.uat.earthdata.nasa.gov/ingest/providers/PROV1/collections/coll1 -d @/Users/yliu10/coll1.xml |
Once you have successfully completed Launchpad setup and you have a verified workflow, for assistance with errors in Launchpad token creation or with the icam API endpoint generally, please create an Enterprise Service Desk ticket. For details see: ESD ICAM Helpdesk Request 2022.pdf