The default configuration for REST accepts connections only from a local system on a UNIX socket. However, you can open a public port and provide secure transport over TLS for remote RAD clients. This section provides information about the three general steps required:
Create a service instance to handle requests from remote clients.
Test the remote connection.
Set up a RAD connection.
The following example shows a sample SMF manifest after modification.
# cat rad-remote-http.xml
<?xml version="1.0" ?>
<!DOCTYPE service_bundle
SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type="manifest" name="site/rad">
<service version="1" type="service" name="site/rad">
<dependency restart_on="none" type="service"
name="multi_user_dependency" grouping="require_all">
<service_fmri value="svc:/milestone/multi-user"/>
</dependency>
<exec_method name='start' type='method' exec='/usr/lib/rad/rad -sp' timeout_seconds='0'/>
<exec_method name='stop' type='method' exec=':kill' timeout_seconds='0'/>
<instance name='remote-http' enabled='false' complete='true'>
<property_group name='ssl_port' type='xport_tls'>
<propval name='certificate' type='astring' value='/etc/rad/cert.pem'/>
<propval name='generate' type='boolean' value='true'/>
<propval name='localonly' type='boolean' value='false'/>
<propval name='pam_service' type='astring' value='rad-tls'/>
<propval name='port' type='integer' value='12303'/>
<propval name='privatekey' type='astring' value='/etc/rad/key.pem'/>
<propval name='proto' type='astring' value='rad_http'/>
<propval name='value_authorization' type='astring' value='solaris.smf.value.rad'/>
</property_group>
<property_group name='config' type='application'>
<property name='moduledir' type='astring'>
<astring_list>
<value_node value='/usr/lib/rad/transport'/>
<value_node value='/usr/lib/rad/protocol'/>
<value_node value='/usr/lib/rad/module'/>
<value_node value='/usr/lib/rad/site-modules'/>
</astring_list>
</property>
</property_group>
</instance>
<template>
<common_name>
<loctext xml:lang="C">Remote RAD HTTP</loctext>
</common_name>
<description>
<loctext xml:lang="C">RAD connections over REST (HTTP)</loctext>
</description>
</template>
</service>
</service_bundle>
Note the following items in the example manifest:
The port property defines the port number on which RAD accepts remote connection, which in this example is set to 12303.
The proto property defines the protocol to use. In this example, it is set to HTTP as indicated by rad-http.
# cp rad-remote-http.xml
/lib/svc/manifest/site
# svcadm restart manifest-import
# svcadm enable rad:remote-http
https://hostname:12303
The request returns a response similar to the following example:
{
"status": "illegal access",
"payload": {
"Message": "Response content type 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' requested
yet only 'application/json' is supported by the origin server.",
"HTTP Method": "GET",
"URI": "/",
"RAD Operation": null
}
}
After you have created a service instance to handle remote requests, the next step is to authenticate and establish a RAD connection from a client. To authenticate:
For example:
# cat body.json
{
"username": "testuser",
"password": "testpassword",
"scheme": "pam",
"preserve": true,
"timeout": -1
}
Perform this procedure once per client. Choose the steps for your certificate source.
RADserver # cp /etc/rad/RADserver.pem /net/RADclient/etc/certs/CA
Use a unique name, such as the RAD server name, as in RADserver.pem.
RADclient # svcadm restart ca-certificates
RADclient # ls /etc/certs/CA ... Example-Security_EV_RootCA1.pem Example-Security_RootCA2.pem Example-Security_Root_CA.pem ...
RADclient # svcadm restart ca-certificates
For example, you can now use the curl command on the client with a slightly different set of options to make a TLS connection to the RAD server.
RADclient # curl -H "Content-type: application/json" -X POST \ --data-binary @body.json \ -v -c cookie.txt -b cookie.txt \ https://RADserver.example.com:12303/api/com.oracle.rad.authentication/1.0/Session