1. <ProductName> REST APIREST APIs for Clusterware
  2. Authentication

Authentication

The REST APIs for Oracle Clusterware use an HTTPS server certificate that is a subordinate certificate of the cluster root certificate. The cluster root certificate, which can be found in location $ORACLE_BASE/crsdata/$HOSTNAME/security/rootwallet, enables clients to connect securely to the REST interface.

Note:

Ensure that you have the appropriate log-in credentials for creating, managing, and deleting the REST APIs for Clusterware instances.

You can access the REST APIs for Clusterware resources over HTTPS. For authentication, you must provide the user name and the password for your REST API for Clusterware account. For example, to authenticate using cURL, use the -u cURL option to pass the user name and the password.

When you run cURL from a Windows command shell, you must provide an SSL certificate authority (CA) file or bundle to authenticate against the cluster root certificate. You can perform this in one of the following ways:

  • Set the CURL_CA_BUNDLE environment variable to the location of an SSL certificate authority (CA) certificate file or bundle.
  • Specify the location of your local CA certificate bundle on the command line, using the --cacert command line option. To perform this, open a command-line window, navigate to the directory where you installed cURL, and then set the CURL_CA_BUNDLE environment variable to the location of the SSL CA certificate file using the following command:

    C:\curl> set CURL_CA_BUNDLE=cacert.pem

The following is an example of the syntax for cURL commands:

curl -i -X GET -u <username>:<password> -H <request-header>:<value> https://<subdomain>.<domain>.com:<port>/<resource-path>

REST APIs for Oracle Clusterware require that the Cross Cluster Domain Protocol (CDP) daemon is running on all of the SCAN virtual IP addresses (VIPs) of the cluster. The CLI REST endpoints enable you to execute CLIs as asynchronous jobs. You can access the output of a command from a CLI REST endpoint at later point of time, and get return codes and execution time.

To make the REST APIs secure by default, all requests that are not from IP addresses of nodes in the cluster are rejected. The CDP daemon monitors the nodes in the cluster and rejects any request to the CLI REST endpoint that do not match the IP addresses. To support the ability to make requests from outside the cluster, you can run the srvctl modify cdp command to provide a list of IP addresses or networks in CIDR format.

See Also:

Getting Started with REST APIs for Oracle Clusterware