If you are trying to script your IBM API Connect, either for the purpose of faster development/management through CLI or to integrate APIC with your CICD pipeline, you may have ran into issues when trying to log in using “apic login” or “apic-slim login”.
This situation particularly effects users who have migrated from an older version (v5, v2018) to APIC v10 which is installed as a part of a Cloud Pak for Integration (CP4I) platform. In this case, a common CP4I user registry is used and OIDC is used as a part of the login process. Because of this, you need to follow specific instructions ( https://www.ibm.com/docs/en/api-connect/10.0.x?topic=tool-logging-in-management-server-oidc-registry ) which at one point require that you open a browser and log in with your username and password , in order to obtain an API key and finish with the login process. This is not ideal, since you probably want your scripts to be completely automated. Another bad news is - even when you obtain your API key, it can be used only once and it will expire in 5 minutes.
The good news is - this is the default configuration which can be changed -> you can set your API key to last longer and also to be reusable multiple times. You are still required to make the manual step, but modifying the configuration will allow you to generate an API key only once and afterwards use it without restrictions. The key parameters which need to be modified are a part of the Cloud Manager settings and are called:
- api_key_multiple_uses (true or false)
- api_key_expires_in (time period of key validity after being issued, in seconds )
If you want to change them, you will need to do that through CLI, since at the time of writing this text the “api_key_multiple_uses” parameter is not available through the Cloud Manager UI.
More details on these parameters can be found in the documentation:
https://www.ibm.com/docs/en/api-connect/10.0.x?topic=settings-allowing-api-key-be-used-multiple-logins
https://www.ibm.com/docs/en/api-connect/10.0.x?topic=settings-configuring-api-key-timeouts
To save you some time, here are short instructions which will help you to change both parameters (use apic or apic-slim, depending on the client you have downloaded):
Login to the management server (make sure user has appropriate privileges and that your credentials json file is set):
apic-slim login --server myAPICManagementServer --context admin --username someUsername --password somePassword --realm admin/common-services --sso
Review the configuration related to the API key:
apic-slim cloud-settings:get --fields api_key_expires_in,api_key_multiple_uses --output - --server myAPICManagementServer
api_key_expires_in: 300
api_key_multiple_uses: false
Save the parameters in a local yaml file (should be named CloudSetting.yaml):
apic-slim cloud-settings:get --fields api_key_expires_in,api_key_multiple_uses --server myAPICManagementServer
Edit the yaml file to contain the following (in the example, api_key_expires_in is set to maximum value of 68 years, expressed in seconds - change according to your needs):
api_key_expires_in: 2147483647
api_key_multiple_uses: true
Update the configuration on the server:
apic-slim cloud-settings:update CloudSetting.yaml --server myAPICManagementServer
( I think I have read somewhere that it might take a couple of minutes to actually apply/propagate the changes to configuration, so if it doesn't work immediately, give it a couple of minutes. )
Now - even after logging out, you can still log back in using the same API key - try it out! (be careful, the setting is not immediately applied to the current session, so first do a logout):
apic-slim logout --server myAPICManagementServer
After logout, log back in (get new API key), and then you can test your new token -> logout and log back in with the same token.
I hope this post was helpful to you and that the approach used is a good solution for you. If there are any mistakes, or there is a better approach, please let me know through the comments.