In this document, we will describe how VPN connection profile configuration can be obtained from the Acreto Ecosystem using the API.
On a technical level, this process consists of the following steps:
Before you start, you will need to:
You should also complete the API Quick start.
All examples in this document are constructed as curl commands.
For convenience, the following environment variables are used in these
examples:
/auth/login endpointGET /customers/{customer_uuid}/ecosystems/{ecosystem_uuid}/users endpointGET /customers/{customerUUID}/ecosystems/{ecosystemUUID}/devices endpointVPN connection profile configuration is a valid OpenVPN config file, and can be used to establish an OpenVPN connection to the Ecosystem.
Acreto Ecosystem allows the generation of 2 types of VPN connection profiles:
Note there are two types of tokens: TOKEN, which is used to authenticate access requests and should be generated based on IT Admin’s username and password, and DEVICE_TOKEN, which can be shared with End Users and used only to download the VPN connection profile.
To generate a device token for a user, you should send a POST request to
/customers/{customer_uuid}/ecosystems/{ecosystem_uuid}/users/{user_uuid}/token
endpoint. This endpoint takes only one optional argument, which is time to live,
(ttl) in seconds. If omitted, it will be set to a default value.
Note that ttl is subject to security policies within the Acreto platform, and
it is not guaranteed that generated token will have ttl provided in the
request. We recommend omitting this parameter and using the default value.
Request:
curl -X POST -d '{}' -H 'Content-type: application/json' -H "Authorization: Bearer $TOKEN" ${ENDPOINT}/customers/${customer_uuid}/ecosystems/${ecosystem_uuid}/users/${user_uuid}/token|jq .
Response:
{"token":"s.iibxqytafX1YvSRk9q7HSaYE"}
Save the value of “token” key into DEVICE_TOKEN variable for future reference:
DEVICE_TOKEN="s.iibxqytafX1YvSRk9q7HSaYE"
To generate a device token for a Thing, you should send a POST request to
/customers/{customer_uuid}/ecosystems/{ecosystem_uuid}/devices/{device_uuid}/token
endpoint. This endpoint takes only one optional argument, which is time to live,
(ttl) in seconds. If omitted, it will be set to a default value.
Note that ttl is subject to security policies within the Acreto platform, and
it is not guaranteed that generated token will have ttl provided in the
request. We recommend omitting this parameter and using the default value.
Request:
curl -X POST -d '{}' -H 'Content-type: application/json' -H "Authorization: Bearer $TOKEN" ${ENDPOINT}/customers/${customer_uuid}/ecosystems/${ecosystem_uuid}/devices/${device_uuid}/token|jq .
Response:
{"token":"s.iibxqytafX1YvSRk9q7HSaYE"}
Save the value of “token” key into DEVICE_TOKEN variable for future reference:
DEVICE_TOKEN="s.iibxqytafX1YvSRk9q7HSaYE"
To retrieve VPN Connection Profile configuration, End-User should send GET request to endpoint /tlsvpn/config/{platform}?_token={DEVICE_TOKEN}.
{platform} should be openvpn-udp (other options are not implemented at the time of writing).
Request:
curl ${ENDPOINT}/tlsvpn/config/openvpn-udp?_token=${DEVICE_TOKEN}
Response:
In response, VPN Connection Profile Configuration is returned as a file of type application/x-openvpn-profile.
Note that the End-User should correctly detect and interpret error codes; in particular, if the DEVICE_TOKEN is invalid or expired, the request will return HTTP 403 status.
In this document, we went through the process of retrieving VPN Connection Profile Configuration from Acreto API.