Creating the New OAuth2 Client

The vRealize Automation administrator runs a command to create a new OAuth2 client. Any vRealize CloudClient user who wants to authenticate with vRealize Automation needs the new OAuth2 client ID and secret.

Creating a new OAuth2 client in vRealize Automation is a privileged operation. To create a new OAuth2 client, the administrator must authenticate with vRealize Automation using an existing client ID and secret.

Obtaining the Existing OAuth2 Client ID and Secret

During the initial deployment of vRealize Automation, an OAuth2 client is created for internal use. The vRealize Automation administrator logs in to the vRealize Automation virtual appliance as root using SSH and runs the following commands to obtain the client ID and secret.

To obtain the existing client ID.

$(grep -i csp-admin= /etc/vcac/solution-users.properties | sed -e 's/csp-admin=//')

To obtain the existing client secret.

$ (grep -i csp-admin.secret /etc/vcac/solution-users.properties | sed -e 's/csp-admin.secret=//'| xargs -n 1 vcac-config prop-util -d --p)

Creating the New OAuth2 Client

To create a new OAuth2 client, the vRealize Automation administrator logs in to vRealize CloudClient and runs the following command.

CloudClient> vra oauth2client create --server <vra-server-fqdn> 
             --tenant <tenant-id> 
             --newoauth2clientid <cc-oauth2-client-id> 
             --newoauth2clientsecret <cc-oauth2-client-secret> 
             --existingoauth2clientid <existing-oauth2-client-id>
             --existingoauth2clientsecret <existing-oauth2-client-secret> 
             --port <port-number> 
             --accesstokenttl <token-lifetime-in-seconds>
             --refreshtokenttl <token-lifetime-in-seconds>

Table 1. Input parameters for the vra oauth2client create command
Parameter	Description
`vra-server-fqdn`	Hostname of the vRealize Automation server
`tenant-id`	Tenant with which the user is authenticating
`cc-oauth2-client-id`	ID of the new OAuth2 client provided by the vRealize Automation administrator
`cc-oauth2-client-secret`	Secret of the new OAuth2 client provided by the vRealize Automation administrator
`existing-oauth2-client-id`	ID of existing OAuth2 client registered with vRealize Automation
`existing-oauth2-client-secret`	Secret of existing OAuth2 client registered with vRealize Automation
`port-number`	Port on the physical machine where vRealize CloudClient is running. vRealize Automation sends the OAuth2 authorization code to the vRealize CloudClient listener on this port.
`token-lifetime-in-seconds`	(optional) Number of seconds from generation to expiration of the access token that is to be generated when the OAuth2 Client ID and secret are used during authentication by the end user. If unspecified, the default value is 3600 or 1 hour.
`token-lifetime-in-seconds`	(optional) Number of seconds from generation to expiration of the refresh token that is to be generated when the OAuth2 Client ID and secret are used during authentication by the end user. If unspecified, the default value is 2592000 or 30 days.

If the command is successful, the following output appears.

Successfully created OAuth2 Client

In a large organization, a vRealize Automation administrator may want to create an OAuth2 client per business group rather than per individual user. vRealize CloudClient end users in the same business group would use the same OAuth2 client. If a user were to leave the organization, the administrator would delete the existing OAuth2 client and create a new client for the business group.