vSphere Authentication in the Remote Plug-in Server

When a plug-in server accesses vSphere data, it needs to authenticate with vCenter Server. To authenticate by using the Web Services API, the plug-in server clones the user session that is currently in use by the plug-in user interface. This gives the plug-in server the same access rights as the user who is logged in with the vSphere Client.

Following are the detailed steps to clone the user session.

Note

The plug-in server must be registered with the vCenter Server instance before it can clone a session with that instance.

The plug-in user interface calls the app.getSessioninfo() method in the client JavaScript library, which in turn contacts the plug-in sandbox to request session information. The sandbox returns an object containing a sessionToken string, which contains a new plug-in session token that can be used for authentication by the plug-in server.

The plug-in user interface calls the app.getApiEndpoints() method in the client JavaScript library, which returns an object containing a uiApiEndpoint property. The value of the uiApiEndpoint property is an object containing a fullUrl property, which contains the endpoint URL for a plug-in server REST request to the vsphere-ui service.

The plug-in user interface removes any query parameters and fragments from the URL, leaving the scheme, host, port, and path segments. The user interface sends both the session token value and the base URL to the plug-in server.

Note

Do not hard-code the URL in the server.

The plug-in server builds a REST request to the vsphere-ui service. The request contains the following:

■	A `POST` verb.
■	The `Content-type` and `Accept` headers both set to `application/json`.
■	A custom header named `vmware-api-session-id`, with the session token as its value.
■	A JSON object body, containing a `vc-guid` property whose value is the GUID of the vCenter Server instance.

The request will look similar to this:

POST /api/ui/vcenter/session/clone-ticket
Content-type: application/json
Accept: application/json
vmware-api-session-id: 12345678

{
  "vc_guid": "223b94f2-af15-4613-5d1a-a278b19abc09"
}

The plug-in server sends the REST request to the vsphere-ui service, which returns a clone ticket valid for the Web Services API of the vCenter Server instance. This is a single-use key to authenticate a call to the SessionManager.

The response will look similar to this:

{
  "session_clone_ticket": "cst-VCT-82cbd981-5f52-0a67-fe55-d995a7347f82--tp-B6-BC-CB-B8-59-89-C0-F2-E4-F0-C2-91-8F-28-C1-DE-10-5E-24-69"
}

The plug-in server constructs a SOAP request to obtain a regular session ID from the Web Services API, by using the cloneSession() operation on the Session Manager.

The code for the SOAP request will be similar to this Java example:

VimService vimService = new VimService();
VimPortType client = vimService.getVimPort();
ManagedObjectReference siRef = new ManagedObjectReference();
siRef.setType("ServiceInstance");
siRef.setValue("Serviceinstance");
ServiceInstance si = client.createStub(ServiceInstance.class, siRef);
ServiceInstanceContent sic = si.RetrieveContent();
SessionManager mgr = client.createStub(SessionManager.class, sic.getSessionManager());
UserSession wsSession = mgr.cloneSession(cloneTicket);

The plug-in server uses the key property of the UserSession object to authenticate subsequent requests to the Web Services API. The server places a vmware_soap_session cookie in its SOAP request headers, with the session key as the cookie value.

Subtopics

Response Codes to session/clone-ticket Request