Creating API application integrations

Typically, application owners would request access from a Venafi master administrator to specific scopes and restrictions for API access. Master admins would then create new application integrations for each application. They can do this by creating either a Custom Solution (in which they create what is needed from scratch), or they could simply import JSON from a Venafi partner or software developer to create a Vendor Integration.

Regardless of how your organization might handle this, it's a coordinated effort because either the application owner or the administrator has information needed by the other.

NOTE  If you've not yet used this feature, you might need to first configure token authentication. SeeSetting up token authentication.

First things first

Before you continue, it's a good idea to review the following prerequisite steps and considerations:

  • If you're going to create a custom solution:
    • Identities needed for the application

      For details, see Token Auth privilege restrictions.

    • Name and purpose of the application (a name and description are both required)
    • Application ID, which is either generated from the application name when creating the integration (although you can specify an application ID that is different from the application name)

      NOTE  The application ID identifies an integration, application, or client that uses this REST API. When tokens are requested, they must specify the application ID. Within the API methods, this maps to the client_id documented here.

    • Required scopes

      For details about available scopes, see Token Auth scope.

      BEST PRACTICE  It's better to configure the required scopes correctly and not have to change them later.

  • If you're going to create a vendor integration:
    • Consider whether this is the integration you need; typically, you'd choose this option when your application needs Token Auth scopes or privileges that are not included in the custom solution option.
    • Have the required JSON available from your vendor or developer; you'll need to copy and paste the JSON as part of the procedure

To create an application integration

  1. Open Aperture.

    If you're already logged into a Venafi console, use the Product Switcher to avoid having to open another browser tab or window and log in again.

  1. Click Configuration > API Application Integrations, and then click New Application Integration.
  2. Do one of the following:
    1. Select Custom Solution, the default option, and then continue to Step 3.
    2. Select Vendor Integration if the scope or restriction you need is not listed as part of a custom solution. you can import settings provided by a Venafi partner or developer. Do the following:
      1. Copy the JSON file contents from your vendor or developer and paste it into the Vendor Application JSON box.

        Make sure it matches your application's OAuth scope.

        TIP  You can more easily confirm that the syntax is correct using a separate JSON syntax checker.

      2. Skip down to Step 8 (Access Limits).
  3. In Application Name, type a name for your application.
  4. (Optional) In Vendor, type the name of the company or organization who created the application.

  5. Under API Access Methods, select the scopes and restrictions needed for the application.

    Scopes and restrictions only apply to API access.

    For details about available scopes, see Token Auth scope.

    For details, see Token Auth privilege restrictions.

  6. (Required) Type a description of your new application integration.
  7. (Optional) You can leave this field blank if you want it to be the same as Application Name, (empty spaces are removed automatically).

    TIP  If you leave this blank, Aperture will simply copy the Application Name and remove spaces.

  8. Under Access Limits, do one of the following:

    1. Click Use TPP Defaults to accept the default setting of 90 days.

    2. If you want to customize grant expiration periods and token behavior, override settings from the Remote Access tree. Click Configure, and do the following:
      1. In Grant Expiration Period, specify how long (in days) before the grant should expire.
      2. If you want tokens to be able to be renewed automatically, select Enabled (the default setting).
      3. In Token Expiration Period, specify how long (in days) before the token should expire.
  9. When you're finished, click Save.

What's next?

If you created a vendor integration:

If you need to later edit the API access list for your API integration, see Adding additional API methods and permissions on existing application integrations.