Creating a User Access Token Request Function Parent topic

A SecureCloud API request that successfully obtains a user access token is able to bypass the User Access Token Filter, the third and final authentication filter.
To successfully receive a user access token, you will need to use the following SecureCloud account credentials:
  • SecureCloud account name
    This is your account name used to log on the Key Management Server web console.
  • SecureCloud account password
    This is your password used to log on the Key Management Server web console.
  • SecureCloud account ID
    This 32-character (plus 4 hyphens) string is shown on the User Management screen of the Key Management Server web console.
The following task shows how to use the public certificate and your SecureCloud account credentials to request a user access token, add the user access token to a variable, and format the user access token into XML.
Note
Note
Each of these programming tasks assumes that you are you are using a new programming code file. The examples shown are using Python programming language. Other programming languages, such as C++ or Java, are capable of performing the same requests.

Procedure

  1. Define this entire part of the API request as a function.
    In the example, this function is the Get User Access Token function. The function is defined as get_user_token().
    def get_user_token():
  2. Create variables for each part of SecureCloud account credentials.
    These variables are as follows:
    • SecureCloud account name
      In the example, this variable is securecloud_login_name.
    • SecureCloud account password
      In the example, this variable is securecloud_login_password.
    • SecureCloud account ID
      In the example, this variable is securecloud_account_id.
    securecloud_account_id = "1FB18C52-2D93-4983-9784-7915163759A7"
    securecloud_login_name = "test_user"
    securecloud_login_password = "12345678"
  3. Create the API URL variable using the UserBasicAuthentication() API and the variable for your SecureCloud account name.
    api_url = "https://ms.securecloud.com/broker/API.SVC/v3.5/userBasicAuth/" + securecloud_login_name + "?tenant="
  4. Copy your digest authentication process and paste it into this part of the API request.
    The digest authentication process parts can be placed at varying locations in the request code, as long as the programming language does not encounter sequencing problems. Declare the API URL variable before calling API URL requests.
  5. Call your public certificate request function.
    pub_cert = get_server_certificate()
  6. Extract the public key of the public certificate using TomCrypt.
    from tomcrypt import rsa
    key = rsa.Key(pub_cert)
    pub = key.public
  7. Encrypt your SecureCloud account password using the public key of the public certificate.
    password = bytes(securecloud_login_password)
    encrypted_password = pub.encrypt(password, None, "sha256", "oaep")
    encrypted_password = base64.b64encode(encrypted_password)
  8. Create the body of the user access token request in XML format using your SecureCloud account ID and the encrypted version of your SecureCloud account password.
    req_xml = """<?xml version="1.0" encoding="utf-8"?>
          <authentication data="%s" accountId="%s" />""" %
          (encrypted_password, securecloud_account_id)
  9. Add the XML request body to the API request found in your digest authentication process.
    Important
    Important
    This adds one line of text to the existing code of the digest authentication process. Do not create duplicate code.
    If necessary, move the API request section of the digest authentication process to after your variable declaration for the XML user access token request body.
    req = urllib2.Request(api_url)
    req.add_header('Content-Type', 'application/xml; charset=utf-8')
    req.add_header('BrokerName', digest_broker_account)
    req.add_data(req_xml)
  10. Create the API request.
    try:
          sc_get_req = opener.open(req)
          res = sc_get_req.read()
    Note
    Note
    For the sake of this example, this section is just the beginning of the Python compound statement try. If using Python, continue this try statement until the end of the function.
  11. Format the user access token into XML.
    In this example, the variable res contains the unformatted user access token.
    xmldata = xml.dom.minidom.parseString(res)
  12. Extract the user access token.
    In this example, the variable session_token is the intended variable to contain the extracted user access token.
    auth_result = xmldata.getElementsByTagName("authenticationResult")[0]
    session_token = auth_result.attributes["token"].value.strip()
    
    return session_token
  13. Perform error checking.
    except urllib2.HTTPError, e:
          logging.error(e)
    except urllib2.URLError, e:
          logging.error(e)
    except Exception, e:
          logging.error(e)

Sample Code Parent topic

# Define this part of the API request as a function.
def get_user_token():

      # Create variables for each part of the broker account information.                       
      digest_broker_account = "test_digest_account"                       
      digest_password = "QTpYVL0QKI"                       
      digest_realm = "securecloud@trend.com"

      # Create variables for each part of SecureCloud account credentials.
      securecloud_account_id = "1FB18C52-2D93-4983-9784-7915163759A7"
      securecloud_login_name = "test_user"
      securecloud_login_password = "12345678"

      # Call your public certificate request function.
      pub_cert = get_server_certificate()

      # Extract the public key of the public certificate using TomCrypt.
      from tomcrypt import rsa
      key = rsa.Key(pub_cert)
      pub = key.public

      # Encrypt your SecureCloud account password using the public key of the public certificate.
      password = bytes(securecloud_login_password)
      encrypted_password = pub.encrypt(password, None, "sha256", "oaep")
      encrypted_password = base64.b64encode(encrypted_password)
      
      # Create the body of the user access token request in XML format.
      req_xml = """<?xml version="1.0" encoding="utf-8"?>
            <authentication data="%s" accountId="%s" />""" %
            (encrypted_password, securecloud_account_id)

      # Create the API URL variable using the UserBasicAuthentication() API.
      api_url = "https://ms.securecloud.com/broker/API.SVC/v3.5/userBasicAuth/" + securecloud_login_name + "?tenant="
      
      # Add broker account information and the API URL to the password manager in the same function.                      
      pwd_mgr = urllib2.HTTPPasswordMgr()                       
      pwd_mgr.add_password(digest_realm, api_url, digest_broker_account, digest_password)
      
      # Add the broker account information and the API URL to the API request handler.                       
      opener = urllib2.build_opener()
      opener.add_handler(urllib2.HTTPDigestAuthHandler(pwd_mgr))

      # Request the API using the API URL.
      req = urllib2.Request(api_url)
      req.add_header('Content-Type', 'application/xml; charset=utf-8') # Set the request data type to XML format
      req.add_header('BrokerName', digest_broker_account) # Include the broker account information in the header
      req.add_data(req_xml) # Add the XML user access token request body
      
      # Create the API request.
      try:                                               
            sc_get_req = opener.open(req)                                              
            res = sc_get_req.read()
      
            # Format the user access token into XML.
            xmldata = xml.dom.minidom.parseString(res)

            # Extract the user access token.
            auth_result = xmldata.getElementsByTagName("authenticationResult")[0]
            session_token = auth_result.attributes["token"].value.strip()

            return session_token

      # Perform error checking.
      except urllib2.HTTPError, e:
            logging.error(e)
      except urllib2.URLError, e:
            logging.error(e)
      except Exception, e:
            logging.error(e)