Original Publishing Date: 2020-01-22 Question I requested a sandbox on http://dev.apsstandard.org, it was approved and is in 'Ready' status. How do I access it? Answer To connect to your sandbox you need to configure a VPN connection. We use OpenVPN, you can request a VPN certificate in your profile after you register and get access to a sandbox. After you log in to http://dev.apsstandard.org click on your name in a blue rectangle in upper-right corner of the screen and select 'VIEW PROFILE' from a dropdown menu. In your profile you can request a VPN certificate, it will become available for download in several minutes. Link to detailed VPN client configuration instructions is also available in your profile. Note that the VPN clients suggested in instructions are not a requirement, you should be able to use any OpenVPN client to connect. After you connect to VPN, you can log in to the control panel with the admin password you specificed during sandbox creation. You can also access all machines in your sandbox via SSH, password for user root is the same as the initial admin password. Internal content

Original Publishing Date: 2020-01-22 Symptoms How to convert a Customer to Reseller on APS sandbox? Resolution Create a Service Template in OA OA > Service Templates > Add New Service Template Name = "Reseller Branding Template" Add the following Resource Types. Reseller accounts Client accounts Branding access points Set Resource Types Limits to finite values. Activate the Service Template. Create Reseller Management Template in BA BA > Service Plans > Service Templates tab > Add New Service Template > Resellers Management The settings are: Name = "Reseller Management Template" Branding Template = "Reseller Branding Template" Version = 1 Order Flow = "Default Order Flow" External Provisioning Template = "PEM Reseller" Create a generic Service Plan in BA BA > Service Plans > Add New Service Plan > Generic Service Plan Name = "Reseller Creation Plan" Service Template = "Reseller Management Template" Published = True Create an order and assign the service plan Reseller Creation Plan. Open order. Log in to OA as the reseller, go to BA, confirm initialization parameters such as currency value and so on. Log in to OA as a provider. Make sure that the provisioning has been done successfully. The customer should now be a reseller. To get more information regarding Service Plan delegation on other reseller questions refer to the Getting Started with Billing – Reseller's Guide guide Internal content Link on internal Article

Original Publishing Date: 2020-01-22 Symptoms Any requests to the APS REST API fails with 403 error if oAuth authorization is used. Cause oAuth authorization requires HTTPS protocol to operate as described in the documentation. Resolution In order to make it work, we have to create the brand and send the request via HTTPS protocol to the brand URL. E.g. create the brand "cats.tld", add this record to the hosts file and use the following script to send request: from requests_oauthlib import OAuth1Session # Enter input parameters: consumer_key = 'DJ0wWDJarXbzK5iITucFkmcUGWfCrcsY' consumer_secret = 'zkRDUTA1V8GFdbvkViWnk3PvITcvz***********InTYs5VyJNMO8ZQL6UVof2Nu6g' url = "https://cats.tld/aps/2/resources/" # Set session parameters and get response: session = OAuth1Session(consumer_key, consumer_secret) response = session.get(url, verify=False) print response.text Internal content

Original Publishing Date: 2020-01-22 Symptoms When I try to create an instance of my APS resource from CCP, UI hangs in waiting for ... state. Cause Some script is stuck while being executed. Resolution Press Create again. Right after that, execute tail -f /var/log/poa-ui.log > /tmp/uilog to catch what is happening with UI. Wait for about 30 seconds. Cancel tail and search /tmp/uilog for the method that it is getting stuck on (usually the last). Search for the same method in /var/log/poa.debug.log. If the method's name is validateSettingsForApplicationInstance, the execution halts in one of custom application scripts. Use ps aux | grep php to search where is it stuck and then search for the problematic code in /usr/local/pem/APS/scripts/. Internal content

Original Publishing Date: 2020-01-22 Symptoms I have a property with encrypted attribute but cannot get the value from my custom UI, access is allowed to the service I'm trying to get it from: "access": { "owner": true, "admin": true, "referrer": true } Cause Since POA 5.5.2 it is not possible to get value of an encrypted property from custom UI: secure information should not be sent in plain text since it can be easily extracted using a debugger. Encrypted properties are signified by: @encrypted tag in PHP runtime code. Some built-in types (like service users) have encrypted properties as well (passwords). Resolution Application back-end can still get values of all properties when authenticating with application certificate. Using a certificate is crucial to get these properties decrypted. In essence, it is not a problem of owner, admin or referrer access, but a problem of type of authorization. Example Your application's resources are provided to POA service users (your resource has a relation to service user in other words) and you need to know the password of a service user. If your application uses the PHP runtime library: .... // imagine your resource has a link to service user called 'user' /** * @link("http://aps-standard.org/types/core/service-user/1.0") * @required */ public $user; .... // from backend, we can fetch encrypted properties of the user object, including password public function provision() { ... $apsc = \APS\Request::getController(); $user = $apsc->getResource($this->user->aps->id); // here the $user variable contains full representation of user object, including encrypted fields like passwords $password = $user->password // now I can access the user's password $password = $this->user->password // or without fetching with getResource ... } Note: For testing purposes, you can query APS bus with application instance token (pem.APS.getApplicationInstanceToken OA API method) and it will be effectively the same as authorizing via certificate. You will be able to see encrypted properties in this case. Internal content

Original Publishing Date: 2020-01-22 Find some answers to frequently asked questions about APS 2 sandboxes here For developers of APS 2 packages we provide sandboxes -- dedicated instances of Odin Service Automation that can be used to learn the art of building a package as well as to test your own package as it is being developed. Detailed information about sandboxes is available in documentation. Links to KB articles with frequently asked questions about these sandboxes are listed below. How do I request a sandbox for APS 2 package development? How do I access my sandbox? How do I update my sandbox to a more recent version of Odin Service Automation? How do I reinstall a broken sandbox? Can I have several sandboxes? I requested a sandbox with billing and the billing panel does not open, what do I do? Can a Odin Service Automation sandbox be deployed in my local datacenter? I had an account on demo.apsstandard.org but it does not work anymore Internal content

Original Publishing Date: 2020-01-22 Question After some operations my sandbox is broken (database became inconsistent, some services do not work, etc). How to reinstall the sandbox and start from scratch? Answer You can redeploy your sandbox using self-service portal on http://dev.apsstandard.org. Click on SANDBOXES, choose 'provision/reprovision' action and specify the versions of Operations Automation (and Business Automation if applicable) you would like to be installed. Redeployment can take between 1 and 4 hours depending on configuration of your sandbox. Note that your sandbox will be destroyed and then redeployed from scratch and all data stored in it will be lost. Internal content

Original Publishing Date: 2020-01-22 Question I need more than one sandbox to develop a package. Can I get another one? Answer Typically we provide just one sandbox with a given configuration per organization however if you have a specific reason why a second one is required you can send us a request with a short note describing why you need another one. If you simply request a second (third, etc.) sandbox without stating why it is needed your request is likely to be rejected. There is typically no reason to have multiple sandboxes. One is sufficient for most cases. For instance, if you require some additional module that is not installed in your sandbox, you may contact us and we will help you out by redeploying your sandbox with the modules you require or providing you with an account on a shared sandbox that has the modules you need. If your sandbox became broken you can destroy and reprovision it from the self-service portal. Internal content

Original Publishing Date: 2020-01-22 Symptoms In OSA 7 in CCPv2 creation of a resource fails with the following output in UI: Creation of resource with type 'http://vps.com/servers/hd/1.0' is not allowed. Make sure that corresponding Resource is included into Subscription and does not exceed its limit Cause This is a new feature of OSA 7. An application either has to be set to MSS (Multiple Subscription Services) mode or provide subscription ID in APS-Subscription-ID header. Default mode is AWS (Account Wide Subscription). Please refer to documentation on subscription specification. Resolution MSS mode can be set in APP-META.xml as described here. In AWS mode subscriptionID should be specified. It can be retrieved and specified the following way: aps.context.subscriptionId = aps.context.vars.context.aps.subscription; Internal content Link on internal Article

Original Publishing Date: 2020-01-22 Symptoms Synchronize resource usage for APS application instance #XXX (G Suite) periodic task fails: Last execution output Transaction rolled back Transaction rolled back The G Suite Endpoint logs contain the error: Jul 8 23:10:39 ERROR 28517 Customer: 1010101:: Subscription: 1001001:: Method: googleaccount::_addSeatAccount## Error on create Odin Google User with error: Customer: 1010101:: Subscription: 1001001:: Method: googleaccount::_addSeatAccount## Error on create Odin Google User (seataccount) for G-Suite User jdoe@example.com and Odin User 61de92cd-14e2-420f-8253-0f4291841394 with error: Subscription #1001001 is locked. Cause Unclear past actions resulted in subscription state discrepancy: the subscription is disabled in Odin Automation, but remains active on G Suite side. Resolution Contact TAM or PTA (pta@cloudblue.com) to address the situation. Internal content Link on internal Article