This is the multi-page printable view of this section. Click here to print.
How To
- 1: Call Manhattan Active® API
- 1.1: Authenticate to Manhattan Active® API
- 1.2: Call Manhattan Active® API from your code
- 1.3: Call Manhattan Active® API using Postman
- 1.4: Manhattan Active® API Reference
- 2: Configure login modes
- 3: Configure Data Stream for Google PubSub
- 4: Manage OAuth clients
1 - Call Manhattan Active® API
Manhattan Active® API follows the REST architectural style. Our API has predictable resource-oriented URLs, accepts and returns JSON, and uses standard HTTP response codes, authentication, and verbs.
What’s next
1.1 - Authenticate to Manhattan Active® API
Before you begin
Before authenticating to an API, it is necessary to have an authorized user (OAuth resource owner) and an OAuth client.
Authentication information
Manhattan Active® API supports the following OAuth 2.0 authorization grants (OAuth flows):
- Authorization Code Grant (web server flow)
- Resource Owner Password Credentials Grant (password flow)
Please contact your organization’s Manhattan Active® Platform administrator for the following OAuth settings:
Setting | Description | Example |
---|---|---|
API URL | Manhattan Active API URL | https://<unique_id>.omni.manh.com |
Username | The resource owner username | user@manh.com |
Password | The resource owner password | h3ll0 |
Client Id | API client id | omnicomponent.1.0.0 |
Client Secret | API client password | w0r1d |
Token URL | URL for access token endpoint | https://<unique_id>-auth.omni.manh.com/oauth/token |
Authorization URL | Authorization Code URL (web server flow) | https://<unique_id>-auth.omni.manh.com |
Authenticate from your code
For access to Manhattan Active® API from your software, please see Call from your code
Authenticate using Postman
For access to Manhattan Active® API from Postman, please see Call using Postman
What’s next
To learn more about calling an individual Manhattan Active® API, please see the REST API documentation in our product sites:
1.2 - Call Manhattan Active® API from your code
This how-to guide will walk you through a very simple Python command line utility (CLI). The utility will obtain an access token for Manhattan Active® API using the OAuth 2.0 Resource Owner Password Credentials Grant. That token will then be used to call the following to get information for the authenticated user:
GET /api/organization/user/allDetails/userId/
Before you begin
Before beginning, please assemble the authentication information.
Obtain an access token
The OAuth 2.0 Resource Owner Password Credentials Grant (direct access) may be used to obtain an API access token. The token endpoint may be called as follows:
def access_token(client_id, client_secret, token_url, username, password):
"""Return access token for Manhattan Active® API using the resource owner password credentials grant
Conforms to https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
Must authenticate to token endpoint with client credentials:
https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1
Args:
client_id (str): client identifier
client_secret (str): client password
token_url (str): endpoint to obtain access token
username (str): the resource owner username
password (str): the resource owner password
Returns:
string: access token
Raises
HTTPError: http error
"""
# Access Token Request: https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.2
response = requests.post(token_url, data={
"grant_type": "password",
"username": username, "password": password},
auth=(client_id, client_secret))
response.raise_for_status()
return response.json()["access_token"]
Call an API
To call the API, obtain an access token above and place it in the Authorization header as a Bearer token:
url = api + "/organization/api/organization/user/allDetails/userId/" + username
response = requests.request(
"GET", url, headers={'Authorization': 'Bearer ' + token}, data={})
response.raise_for_status()
print(json.dumps(response.json(), indent=2))
Run the code
Download the source code
Download the user.py python source code.
Install requests module
python3 -m pip install requests==2.27.1
Set environment variables
Environment variables may be used to store common information:
Variable |
---|
ACTIVE_USERNAME |
ACTIVE_PASSWORD |
ACTIVE_API |
ACTIVE_CLIENT_ID |
ACTIVE_CLIENT_SECRET |
ACTIVE_TOKEN_URL |
For example:
export ACTIVE_USERNAME=user@example.com
export ACTIVE_CLIENT_ID=omnicomponent.1.0.0
Run CLI
Run the user.py script to obtain information for the authenticated user.
# See help for getting user info
python3 user.py -h
# Sample call (assumes ACTIVE_PASSWORD and ACTIVE_CLIENT_SECRET environment variables set)
python3 user.py \
-c omnicomponent.1.0.0 \
-t https://<environment>-auth.omni.manh.com/oauth/token \
-u user@system.com \
-a https://<environment>.omni.manh.com
Troubleshooting
If you receive a 400 Client Error: for url: https://...-auth.omni.manh.com/oauth/token, then your username and password are invalid for the authorization server.
1.3 - Call Manhattan Active® API using Postman
This guide will walk you through the steps for invoke an example REST API exposed by Manhattan Active®. The steps below will also assist you in establishing the authorization using OAuth v2.0 for invoking the API.
Before You Begin
- Download and install Postman or an equivalent tool of your choice. If you already have Postman installed, update it to v9.0.9 or newer.
- You will need the following information from the administrator who manages the implementation of Manhattan Active® applications for you:
- Application URL such as
https://<unique_id>.omni.manh.com
orhttps://<unique_id>.sce.manh.com
orhttps://<unique_id>.scp.manh.com
. We will usehttps://example.omni.manh.com
for this document. - Authorization Server URL such as
https://<unique_id>-auth.omni.manh.com
orhttps://<unique_id>-auth.sce.manh.com
orhttps://<unique_id>-auth.scp.manh.com
. We will usehttps://example-auth.omni.manh.com
for this document. - Values of
client_id
andclient_secret
parameters as configured by your administrator. A defaultclient_id
for Postman is automatically created with valuepostman.1.0.0
. The administrator can look up the value of the respectiveclient_secret
. We will useaQsuVkh24SAp8MYr
as the value ofclient_secret
for this document. - A valid username and password for you to authenticate yourself. We will use
jerrythomas@example.com
andp455w0rd
respectively as the username and password for this document.
- Application URL such as
- As a sample REST API, we will use the endpoint that returns the details of your user. You may replace it with any other REST API that you have access to.
Steps
The step-by-step instructions below include the steps to obtain the authorization token for invoking the target REST API, followed by the invocation of the API.
Obtaining the Authorization Token
1. Open Postman and click on “New”
2. In the pop-up dialog, select “HTTP Request”
3. Click on the “Authorization” tab in the request section under “Untitled Request”
4. Click on the “Type” drop-down and select “OAuth v2.0”.
5. In the right-hand section, scroll down to the sub-section titled “Configure New Token”, and enter the values as shown below:
- Token Name:
my-first-auth-token
- Grant Type: Authorization Code
- Callback URL:
https://www.getpostman.com/oauth2/callback
- Auth URL:
https://example-auth.omni.manh.com/oauth/authorize
- Access Token URL:
https://example-auth.omni.manh.com/oauth/token
- Client ID:
postman.1.0.0
- Client Secret:
aQsuVkh24SAp8MYr
- Scope: leave empty
- State: leave empty
- Client Authentication: Send as Basic Auth header
Click the “Get New Access Token” button to fetch the token.
6. Sign in with your username and password in the pop-up dialog. The pop-up may look different from the screenshot shown below depending on the Manhattan Active® application you are using.
7. Upon a successful login, Postman will display the access token in the UI, and give you an option to use it.
8. In the “Current Token” section of your REST API request, select my-first-auth-token
from the list to make use of the token you obtained.
Invoking the REST API call
1. To invoke the API to get the details of your username, set the URL to the value shown below:
http://example.omni.manh.com/organization/api/organization/user/allDetails/userId/jerrythomas@example.com
Set the HTTP method to GET
. The inputs will look like this:
Verify that the “Access Token” is set to my-first-auth-token
in the “Current Token” section.
Click on the “Send” Button.
2. The API response in JSON format will be displayed in the section on the bottom
You can inspect the response content and headers by switching the response tabs.
Pro Tip
With the access token, you can also invoke the API using curl
as a command line option instead of Postman:
curl -L -X GET -H 'Authorization: Bearer eyJhbGciOiJSUzI1Ni...' 'http://example.omni.manh.com/organization/api/organization/user/allDetails/userId/jerrythomas@example.com'
Learn More
1.4 - Manhattan Active® API Reference
2 - Configure login modes
Objective
Manhattan Active® Platform Auth Server has administrative user interface to configure or modify several aspects of security such as the authentication and login modes and OAuth client setup. This document describes how you can configure the login modes for authenticating to Manhattan Active® Platform.
Before You Begin
You will need access to the Manhattan Active® Platform application, and a System Administrator role to configure security properties in the Auth Server user interface.
Manhattan Active® Cloud standardizes authorization with OAuth2 for all inbound HTTP traffic. For identity provisioning and active directory integration, Manhattan Active® Cloud supports a variety of authentication modes with Open ID and SAML:
- External Authentication Mode with Open ID is a login configuration where the user is exclusively authenticated via an external Identity Provider using Open ID as the identity protocol. In this mode, all users are maintained by the external Identity Provider.
- External Authentication Mode with SAML is a login configuration where the user is exclusively authenticated via an external Identity Provider using SAML as the identity protocol. In this mode, all users are maintained by the external Identity Provider.
- Mixed Authentication Mode with User Discovery is a login configuration where the user identity is managed either in the Native authentication source by Manhattan Active® Cloud, or by an External Identity Provider with Open ID or SAML. The determination for the authentication mode for the actual user is made in real-time when the user attempts to log in, based on the user’s username. In this mode, the user is first prompted to enter their username, and the UI then redirects to the authentication mode configured for that user.
- Native Authentication Mode is a login configuration where the user is exclusively authenticated by Manhattan Active® Cloud. In this mode, the user directory, and credentials (in the form of usernames and passwords) are maintained in Manhattan Active® Cloud database. Users that are maintained with the native authentication mode are referred to as native users to distinguish them from the users that are maintained in the corporate directory. If no other authentication mode is configured, Native Authentication Mode is the default configuration.
Manhattan supports known Open ID and SAML Identity Providers for configuring as the External Authentication Mode. Integration with the IDPs listed below has been tested and supported:
- Microsoft Azure AD: Open ID & SAML
- ADFS: Open ID & SAML
- Okta: Open ID & SAML
- CA SiteMinder: Open ID
- Ping Identity: Open ID
- MITREid: Open ID
- KeyCloak: Open ID & SAML
- IBM Security Access Manager: SAML
Do note, that IDPs may have their nuances - not all IDPs support the full Open ID and/or SAML standards or may support additional features that are not part of the standards. In such cases, Manhattan offers technical support and consulting to accommodate the testing and validation necessary for a specific IDP to fully integrate with Manhattan Active® Cloud.
To access the administration UI, go to your Auth Server URL (https://<stack_name>-auth.<domain_name>
). After you log in, you should see the Administration option as a button that you can use to navigation to the administration UI:
The admin panel is accessible only to the users with the System Administrator role.
There are two main concepts that are important to understand:
Authorization providers
An authorization provider is a configuration for an external identity provider. For example, you could have the following authorization providers stored in the Auth Server configuration:
- OpenID with Okta
- Backup OpenID with Okta
- OpenID with Azure
- SAML external IDP
One of these providers could be used when setting the identity type to external or mixed.
Login mode
The login mode defines how your users will authenticate in the Auth Server.
- Active login mode will be loaded on the Auth Server startup and defines how the users authenticate.
- Pending login mode will be marked when setting a new login mode. If there is a pending login mode when the Auth Server starts it will be marked as Active and the previous Active login mode will be marked as Inactive.
Steps
-
Click on Configure Login Mode
-
Select the identity type between database, external or mixed and click Next
-
If you choose external or mixed in Step 2, it will show the list of available providers. You can also add new ones. Click on Add Authentication Provider to add a new one and select the protocol.
-
You can also click Show Templates to see predefined providers
-
Select a template
-
This will copy the pre-configured parameters, you will have to provide a unique Name that cannot be edited later. Click on Save button
-
This will create a provider. You can view it under Authentication Providers tab
-
The new login mode will be Pending until the next restart of the Auth Server.
Global Properties
There are other properties that are not exclusive of either OpenId or SAML. In the Global properties tab you can edit these properties.
Note that these properties will only be loaded when manh.security.dbmode=true
and a proper login mode is configured. Properties can be of three types: string
, number
or boolean
.
Learn More
Author
- Shipra Choudhary: Senior Software Engineer, Security, Manhattan Active® Platform, R&D.
3 - Configure Data Stream for Google PubSub
Objective
This guide will walk you through the steps for enabling the Data Streaming from Manhattan Active® to Google Cloud Pub/Sub endpoint owned and managed by the customer. The below steps also guides authorization and network access required to post events to this Pub/Sub endpoint.
Gravina is Manhattan Active® Platform’s data replication solution to provide most real-time data streaming service to target systems. It provides set of distributed services that capture row-level changes in databases so that applications can see and respond to those changes. DataStream utilizes JSON for exchanging data between internal & external components.
Google Cloud Pub/Sub provides messaging between applications. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a “topic” and other applications can subscribe to that topic to receive the messages.
Before You Begin
-
Deployment model:
- The current scope of this document considers the target Google Cloud Pub/Sub, is owned and managed by Customer. To meet customer business and preferences, we continue to extend our ability to support multiple deployment models.
- The current scope of this document considers the target Google Cloud Pub/Sub, is owned and managed by Customer. To meet customer business and preferences, we continue to extend our ability to support multiple deployment models.
-
Target Google Cloud Pub/Sub configuration:
- Google Project: Customer owned Google project.
- Region/Location: Google Cloud Pub/Sub is Global Service. but, we prefer to have both producer and subscriber in the same region.
- Pub/Sub topic name ( Optional ): Any preferred topic name to use. By default, Manhattan Active® uses the default gravina_cdc_stream_<customer
-
Network Connectivity & whitelist:
- Pub/Sub Targets: At present we support Google Cloud Pub/Sub.
- Network Traffic: Since both Source and targets are managed in GCP, traffic is routed through Google backbone interface.
- Access whitelist : If Customer Google Cloud Pub/Sub endpoint is allowed to connect only from the trusted IP sources, then Manhattan Active® Platform NAT range needs to whitelist in Customer network.
-
Data inclusion list for DataStreaming
- By default, Gravina ignores all tables for DataStreaming unless we define to include in replicator configuration.
- Get the list of database schemas and tables required to enable for DataStream to target system.
-
Subscription Strategy:
- By default, gravina creates the default subscription which can be used by Customer Application to process the data stream events from Pub/Sub
- Customer owns the configuration of target application subscription(s) and attach to Pub/Sub topic and processing of messages.
Steps
-
Generate service-account & Key:
- Login to Google Cloud Console –> Go to Google Cloud Project –> IAM & Admin
- Service Accounts
- Create Service Account : Ex: gravina-pubsub-sa
- Go to “Keys”
- ADD KEY –> Create New Key –> Select Key Type : JSON –> Create –> The JSON Key file gets downloaded.
- Provide the JSON Key file to Manhattan CLoud Ops Team in secured way.
- Login to Google Cloud Console –> Go to Google Cloud Project –> IAM & Admin
-
Grant Pub/Sub Editor permissions to service-account:
- Login to Google Cloud Console –> Go to Google Cloud Project –> IAM & Admin
- IAM
- Click on “ADD”
- Give the gravina-pubsub-sa as principle & Role as “Pub/Sub Editor”
- Save
- Login to Google Cloud Console –> Go to Google Cloud Project –> IAM & Admin
-
Provide the configuration details to Manhattan Cloud team for replicator configuration.
- Send the Service account “JSON Key file” which have the following details
- project_id
- service-account-id
- Key & secret
- Pub/Sub Topic Name ( If any explicitly needs to configure )
- Inclusion Table List ( If only required specific tables )
- Send the Service account “JSON Key file” which have the following details
-
Configure Network Access Whitelist in Customer Google Cloud project:
- If the Customer Google project is restricted access, then Manhattan team provide the NAT IP range from which the traffic will be initiated to Pub/Sub endpoint.
- Customer needs to whitelist the NAT IP range in Google Cloud Project to allow the access.
-
Target Pub/Sub topic Subscription:
- The configuration of subscription to topic and processing of messages are completely managed by Customer based on customer business needs.
- By default, gravina creates the subscription which can be configured and used by Customer Application to process the data stream events from Pub/Sub topic.
-
Monitoring & Alerts:
- Google Cloud Console provides the default monitoring statistics & metrics.
- Publish message request count.
- Average message size.
- Unacked message count.
- Oldest unacked message age.
- Customer responsible to configure the required monitoring and Alerting based on the business needs.
- Google Cloud Console provides the default monitoring statistics & metrics.
Learn More
Authors
- Srinivasa Rao Jammula: Director, Manhattan Active® Platform, R&D.
4 - Manage OAuth clients
Objective
Manhattan Active® Platform Auth Server has administrative user interface to configure or modify several aspects of security such as the authentication and login modes and OAuth client setup. This document describes how you can set up OAuth clients for external integration and for calling the REST API.
Before You Begin
You will need access to the Manhattan Active® Platform application, and a System Administrator role to configure security properties in the Auth Server user interface.
To access the administration UI, go to your Auth Server URL (https://<stack_name>-auth.<domain_name>
). After you log in, you should see the Administration option as a button that you can use to navigation to the administration UI:
The admin panel is accessible only to the users with the System Administrator role.
Clicking on the “OAuth Clients” option in the menu will take you to the UI to manage the configuration for OAuth Clients.
The UI has 2 sections in it:
- Custom clients: includes the clients that are created by users. These clients can be edited and deleted.
- Default clients: are pre-configured clients. These cannot be edited, but cloned.
Steps
- Goto Custom clients tab and click on Add button
- Add client details like client id, client secret. The value of client secret will be encoded and stored. Optionally, you can set value of Access token validity and Refresh token validity. Select appropriate Scopes and Grants for this client. For each Scope selected, you have option if you’d like to auto approve the requests. You can add one or more Redirect URIs and Resource Ids to this client.
- Hit Save button and this creates a new client.
Learn More
Author
- Shipra Choudhary: Senior Software Engineer, Security, Manhattan Active® Platform, R&D.