Status API authentication

Token-based authentication is not required to access the status API. You can choose to authenticate requests with certificates or you can use HTTP to access the API without authentication.

Certificate authentication

You can authenticate requests with a certificate listed in RBAC's certificate allowlist, located at /etc/puppetlabs/console-services/rbac-certificate-allowlist. The certificate allowlist is a simple, flat file consisting of certnames that match the host, for example:
node1.example
node2.example
node3.example

If you edit the certificate allowlist, you must reload the pe-console-services service (run sudo service pe-console-services reload) for your changes to take effect.

To use the certificate in a curl request, you must include the allowed certificate name (which must match a name in the rbac-certificate-allowlist file) and the private key. This example shows how to use puppet commands to include an allowed certificate in a curl request:
cert="$(puppet config print hostcert)"
cacert="$(puppet config print localcacert)"
key="$(puppet config print hostprivkey)"
uri="https://$(puppet config print server):4433/status/v1/services"

curl --cert "$cert" --cacert "$cacert" --key "$key" "$uri"
For information about using puppet commands to populate curl arguments, go to Using example commands.
Tip: You do not need to use an agent certificate for authentication. You can use puppet cert generate to create a new certificate to use specifically with the API.

HTTP authentication

Status API endpoints can be served over HTTP, which does not require any authentication, but this is disabled by default. To enable HTTP:
  1. In the PE console, go to the PE Console node group.
  2. On the puppet_enterprise::profile::console class, set console_services_plaintext_status_enabled to true.
The default HTTP status endpoint port is 8123. To change the port:
  1. In the PE console, go to the PE Console node group.
  2. On the puppet_enterprise::profile::console class, set the console_services_plaintext_status_port parameter to the relevant port number.