Getting Started with the Event Hub

Event Hub Setup

The following account access and software must be present before setting up the Event Hub.

Before you begin using Event Hub, obtain the following account access and software. It is also helpful to have a working knowledge of gRPC. For more information about gRPc, see https://github.com/google/protobuf#protocol-compiler-installation

Accounts

You should have the following accounts to use Predix services:

A Predix.io account. See t_registering_for_a_predix_account.html#task_a0b9d32e-24ff-4c84-a210-713527bce17c.
When you register for a Predix.io account, an org and space is created for you in Cloud Foundry.
A Github account. Go to https://github.com/join.

Software


Software	Version	Description
Cloud Foundry CLI	Latest stable binary version	Use the Cloud Foundry CLI to deploy and manage applications and services. Download the latest stable binary from https://github.com/cloudfoundry/cli#downloads.
Git	Latest	Download Git from https://git-scm.com/downloads.
Maven		If you are developing with Java, you can use Maven to manage and organize dependencies for your project. You can download Maven from https://maven.apache.org/download.cgi.
Google Protocol Buffer Compiler	3.0.0	To publish and subscribe using gRPC, you need to compile a .proto file, which generates source code for the language you use to interact with the Event Hub service. You can download Protocol Compiler from https://github.com/google/protobuf#protocol-compiler-installation.

Task Roadmap

The following table shows the steps for setting up the Event Hub service.


Step
1. (Optional) Configure your proxy settings.	Depending on your location and network configuration, you may need to configure your proxy settings to access remote resources. See t_defining_proxy_connections_to_remote_resources.html#task_97cc6304-e168-459d-9952-a45708ff8361.
2. Create a UAA service instance.	See uaas-get-started.html#task_y1l_vms_2s.
3. Create the Event Hub service instance.	See ehs-getting-started.html#task_f427bba4-a466-4138-9a9d-b471907cb8c4.
4. Bind your application to the Event Hub service instance.	See ehs-getting-started.html#task_dcw_5tr_rv .
5. Create an OAuth2 client.	The OAuth 2.0 protocol establishes a client as an application that makes protected resource requests on behalf of the resource owner and with its authorization. See uaas-managing-clients.html#task_79a81b74-552e-4f74-abfc-bd37e6adac87.
6. Update the OAuth2 client to use Event Hub.	See uaas-managing-clients.html#task_k3h_k2c_1x.
7. Add the required Event Hub scopes.	See ehs-getting-started.html#task_9e08677f-d894-49bf-b34d-e376b44ca015.
8. Add Predix zone token scopes to your application.	See ehs-getting-started.html#task_8e08b8fb-199c-418f-897e-f6be754c22e5.
9. Set up a gRPC client.	See ehs-getting-started.html#task_79b3d83c-cc6d-4e11-bbb0-ee5c6b82afa1.

Working With protobuf

Predix uses protocol buffers for publishing and subscribing to events.

Before You Begin

You should be familiar with gRPC and Google protocol buffers before using Event Hub. You can read about gRPC and protocol buffers at http://www.grpc.io/docs/guides/ and https://developers.google.com/protocol-buffers/docs/overview.

Procedure

To use gRPC for publishing and subscribing using gRPC, save the following .proto file as EventHub.proto to your project's working directory. This generates source code for the language you want to use to interact with the Event Hub service.

syntax = "proto3";
option java_multiple_files = true;
option java_package = "com.ge.predix.eventhub";
option java_outer_classname = "EventHubService";
package predix.eventhub;


// A Timestamp represents a point in time independent of any time zone
// or calendar, represented as seconds and fractions of seconds at
// nanosecond resolution in UTC Epoch time. It is encoded using the
// Proleptic Gregorian Calendar which extends the Gregorian calendar
// backwards to year one. It is encoded assuming all minutes are 60
// seconds long, i.e. leap seconds are "smeared" so that no leap second
// table is needed for interpretation. Range is from
// 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z.
// By restricting to that range, we ensure that we can convert to
// and from  RFC 3339 date strings.
// See [https://www.ietf.org/rfc/rfc3339.txt](https://www.ietf.org/rfc/rfc3339.txt).
//
// Example 1: Compute Timestamp from POSIX `time()`.
//
//     Timestamp timestamp;
//     timestamp.set_seconds(time(NULL));
//     timestamp.set_nanos(0);
//
// Example 2: Compute Timestamp from POSIX `gettimeofday()`.
//
//     struct timeval tv;
//     gettimeofday(&tv, NULL);
//
//     Timestamp timestamp;
//     timestamp.set_seconds(tv.tv_sec);
//     timestamp.set_nanos(tv.tv_usec * 1000);
//
// Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
//
//     FILETIME ft;
//     GetSystemTimeAsFileTime(&ft);
//     UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
//
//     // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
//     // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
//     Timestamp timestamp;
//     timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
//     timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
//
// Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
//
//     long millis = System.currentTimeMillis();
//
//     Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
//         .setNanos((int) ((millis % 1000) * 1000000)).build();
//
//
// Example 5: Compute Timestamp from current time in Python.
//
//     now = time.time()
//     seconds = int(now)
//     nanos = int((now - seconds) * 10**9)
//     timestamp = Timestamp(seconds=seconds, nanos=nanos)
//
//

message Timestamp {

  // Represents seconds of UTC time since Unix epoch
  // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
  // 9999-12-31T23:59:59Z inclusive.
  int64 seconds = 1;

  // Non-negative fractions of a second at nanosecond resolution. Negative
  // second values with fractions must still have non-negative nanos values
  // that count forward in time. Must be from 0 to 999,999,999
  // inclusive.
  int32 nanos = 2;
}
 
message Message {
  string id = 1; // Message ID - UUID
  bytes body = 2; // Payload from the Producer. there is also "Any" type, but its still under development
  string zone_id = 3;
  map<string, string> tags = 4; // Some general attributes, could potentially be used for tagging and others
  bytes key = 5;
  string topic = 6 ;
  int32 partition = 7 ;
  int64 offset    = 8 ;
  Timestamp timestamp = 9 ;
}
 
message Ack {
  string id = 1;
  AckStatus status_code = 2;
  string desc = 3;
  string topic = 4 ;  // this you will only get this the ack is a success
  int32 partition = 5 ; // this you will only get this the ack is a success
  int64 offset    = 6 ; // this you will only get this the ack is a success
  Timestamp timestamp = 7 ; // this you will only get this the ack is a success
  bytes body = 8 ; // you will only get this if the ack is a failure .
  string zone_id = 9; // you will only get this if the ack is a failure .
  map<string, string> tags = 10; // you will only get this if the ack is a failure .
  bytes key = 11; // you will only get this if the ack is a failure .
}
 
enum AckStatus {
  ACCEPTED = 0;
  BAD_REQUEST = 1;
  REQUEST_TOO_LARGE = 2;
  FAILED = 3;
}
 
message Messages {
  repeated Message msg = 1;
}
 
message PublishRequest {
  Messages messages = 1;
}
 
message PublishResponse {
  repeated Ack ack = 1;
}

message SubscriptionResponse {
  repeated Ack ack = 1 ;
}
 
message SubscriptionRequest {
  string zone_id = 1; // zone name, this will be the user's zone
  string subscriber = 2; // subscriber name, this will be utilized to parallelize processing
  string instance_id = 3; // particular instance of the subscriber 
}
 
// Publisher service definition
service Publisher {
  // Send message to topic. Topic name will be in URI
  rpc send (stream PublishRequest) returns (stream PublishResponse) {}
}
 
// Subscriber service definition
service Subscriber {
  // Receive message from a topic, as a subscriber
   rpc receive (SubscriptionRequest) returns (stream Message) {}
   rpc receiveWithAcks (stream SubscriptionResponse) returns (stream Message) {}
}

Follow the directions at https://github.com/google/protobuf#protocol-compiler-installation to install the Protocol Buffer Compiler 3.0.0 for your system.

Generate source code in your language.

Navigate to the directory where you saved the .proto file, then run the protoc command.

The flags you use in the command depend on the language you are using. For example, if you are using Go, the command is:

protoc --go_out=plugins=grpc:. *.proto

If you are using Java, the command is:

protoc --javaout=./target/classes/<package_path> ./src/main/proto/EventHub.proto

Once the protoc command executes successfully, you should see the file that was generated, which contains EventHub in the name. The generated output depends on the language you are working in.

The following table shows some examples:


Language	Generated Output	References
Go	.pb.go file with a type for each message type in your file	https://github.com/golang/protobuf
Java	.java file with a class for each message type, as well as special Builder classes for creating message class instances.	https://github.com/google/protobuf/tree/master/java
Python	A module with a static descriptor of each message type in your .proto, which is then used with a meta class to create the necessary Python data-access class at runtime.	https://github.com/google/protobuf/tree/master/python

Creating a UAA Service Instance

You can create multiple instances of the UAA service in your space.

About This Task

As a best practice, first delete any older unused instances before creating a new one.

Procedure

Sign into your Predix account at https://www.predix.io.
Navigate to Catalog > Services, then click the User Account and Authentication tile.
Click Subscribe on the required plan.

Complete the fields on the New Service Instance page.


Field	Description
Org	Select your organization.
Space	Select the space for your application.
Service instance name	Enter a unique name for this UAA service instance.
Service plan	Select a plan.
Admin client secret	Enter a client secret (this is the admin password for this UAA instance). The client secret can be any alphanumeric string. Note: Record the client secret in a secure place for later use.
Subdomain	(Optional) Enter a subdomain you might need to use in addition to the domain created for UAA. You must not add special characters in the name of the subdomain. The value of sub-domain is case-insensitive.

Click Create Service.

Results

Your UAA instance is created with the following specifications:

A client identifier (admin).
Note: An admin client is required for bootstrap purposes. You can create additional clients to use with your application.
A client secret (that you specified while creating the service).

To retrieve additional details of your instance, you can bind an application to your instance.

Using the Command Line to Create a UAA Service Instance

Optional procedure for using the command line instead of the graphical user interface to create a UAA service instance.

About This Task

You can create up to 10 instances of UAA service in your space. If you need additional instances, you must delete an older unused instance and create a new one.

Procedure

Use the Cloud Foundry CLI to log into Cloud Foundry.
```
cf login -a <API_Endpoint>
```
Note: If you are a GE employee, you must use the cf login --sso command to log into Cloud Foundry. After you enter your SSO, you will receive a one-time passcode URL. Copy this URL and paste it in a browser to retrieve your one-time passcode. Use this code with the cf command to complete the CF login process.

Depending on your Predix.io registration, the value of <API_Endpoint> is one of the following:
- Predix US-West
  https://api.system.aws-usw02-pr.ice.predix.io
- Predix Europe
  https://api.system.aws-eu-central-1-pr.ice.predix.io
For example,
```
cf login -a https://api.system.aws-usw02-pr.ice.predix.io
```
List the services in the Cloud Foundry marketplace by entering the following command.
```
cf marketplace
```
The UAA service, predix-uaa, is listed as one of the available services.
Create a UAA instance by entering the following command.
```
cf create-service predix-uaa <plan> <my_uaa_instance> -c '{"adminClientSecret":"<my_secret>","subdomain":"<my_subdomain>"}'
```
where:
- cf stands for the CLI command, cloud foundry
- cs stands for the CLI command create-service
- <plan> is the plan associated with a service. For example, you can use the tiered plan for the predix-uaa service.
- -c option is used to specify following additional parameters.
  - adminClientSecret specifies the client secret.
  - subdomain specifies a sub-domain you might need to use in addition to the domain created for UAA. This is an optional parameter. You must not add special characters in the name of the sub-domain. The value of sub-domain is case insensitive.
Note: Cloud Foundry CLI syntax can differ between Windows and Linux operating systems. See the Cloud Foundry help for the appropriate syntax for your operating system. For example, to see help for the create service command, run cf cs.

Results

Your UAA instance is created with the following specification:

A client identifier (admin).

Note: An admin client is created for bootstrap purposes. You can create additional clients to use with your application.
A client secret (that you specified while creating the service).

To retrieve additional details of your instance, you can bind an application to your instance.

Example

Create a predix-uaa service instance with client secret as admin and sub-domain as ge-digital:

cf cs predix-uaa tiered test-1 -c '{"adminClientSecret":"admin","subdomain":"ge-digital"}'

This is how it appears in VCAP SERVICES when using the cf env <app_name> command:

"VCAP_SERVICES": { 
"predix-uaa": [
   {
    "credentials": {
     "dashboardUrl": "https://uaa-dashboard.run.asv-pr.ice.predix.io/#/login/04187eb1-e0cf-4874-8218-9fb77a8b4ed9",
     "issuerId": "https://04187eb1-e0cf-4874-8218-9fb77a8b4ed9.predix-uaa.run.asv-pr.ice.predix.io/oauth/token",
     "subdomain": "04187eb1-e0cf-4874-8218-9fb77a8b4ed9",
     "uri": "https://04187eb1-e0cf-4874-8218-9fb77a8b4ed9.predix-uaa.run.asv-pr.ice.predix.io",
     "zone": {
      "http-header-name": "X-Identity-Zone-Id",
      "http-header-value": "04187eb1-e0cf-4874-8218-9fb77a8b4ed9"
     }
    },
    "label": "predix-uaa",
    "name": "testuaa",
    "plan": "Tiered",
    "provider": null,
    "syslog_drain_url": null,
    "tags": [],
    "volume_mounts": []
   }
  ],

Creating an Event Hub Service Instance

You must create and configure an Event Hub service instance before you can bind an application to the service.

Before You Begin

Complete the ehs-getting-started.html#concept_8491b435-e6ab-48e9-b496-140fb2bcdf09.

Procedure

Sign into your Predix account at https://www.predix.io.
Navigate to Catalog > Data Management, then click the Event Hub tile.
Choose the plan, then click Subscribe.

On the New Service Instance page, enter the following information:

Field	Description
Org	Selection our organization.
Space	Select the space for your application.
User account and authentication (UAA)	Select the UAA service instance to bind to your service instance, or click Subscribe to New UAA to create a new UAA service instance.
Service Instance Name	Enter a unique name for your service instance.
Select a Plan	Select a plan.

Click Create Service.
You can also use the Cloud Foundry CLI to create an Event Hub service instance.
On Mac OS and Linux, use the following syntax:
```
cf create-service predix-event-hub <plan> <my_event_hub_instance> -c '{"trustedIssuerIds":["<uaa_instance1_host>/oauth/token", "<uaa_instance2_host>/oauth/token"]}'
  
```
On Windows, use the following syntax:
```
cf create-service predix-event-hub <plan> <my_event_hub_instance> -c "{\"trustedIssuerIds\":[\"<uaa_instance1_host/oauth/token\", \"<uaa_instance2_host/oauth/token\"]}"
```
where:
- <plan> – The plan associated with a service.
- <my_event_hub_instance> – the service instance you are creating.
- "trustedIssuerIds" – The issuerID of your trusted issuer (UAA instance), such as https://13fa0384-9e2a-48e2-9d06-2c95a1f4f5ea.predix-uaa.grc-apps.svc.ice.ge.com/oauth/token. You can use a comma-separated list to specify multiple trusted issuers. You can retrieve this URL from the VCAP_SERVICES environment variable after binding your UAA instance to an application.

Binding an Application to the Event Hub Service Instance

About This Task

You must bind your application to your Event Hub service instance to provision its connection details in the VCAP_SERVICES environment variable. Cloud Foundry runtime uses the VCAP_SERVICES environment variables to communicate with a deployed application about its environment.

Procedure

Bind your application to the new Event Hub service instance.
```
cf bind-service <your_app_name> <event_hub_service_instance_name>
```
The <event_hub_service_instance_name> instance is bound to your application.
Restage your application to ensure the environment variable changes take effect:
```
cf restage <application_name>
```

To view the environment variables for your application, enter the following command:

cf env <application_name>

The command displays the environment variables, which contain the publish and subscribe endpoint URIs.

"VCAP_SERVICES": {
	"predix-event-hub-<service>": [{
		"credentials": {
			"publish": {
				"protocol_details": [{
					"protocol": "grpc",
					"uri": "eventhub.<cf_host>:443",
					"zone-token-scope": ["predix-event-hub.zones.<Predix-Zone-Id>.user", "predix-event-hub.zones.<Predix-Zone-Id>.grpc.publish"]
				}, {
					"protocol": "wss",
					"uri": "wss://eventhub.<cf_host>/v1/stream/messages/",
					"zone-token-scope": ["predix-event-hub.zones.<Predix-Zone-Id>.user", "predix-event-hub.zones.<Predix-Zone-Id>.wss.publish"]

				}],
				"zone-http-header-name": "Predix-Zone-Id",
				"zone-http-header-value": "<Predix-Zone-Id>"
			},
			"subscribe": {
				"protocol_details": [{
					"protocol": "grpc",
					"uri": "eventhub.<cf_host>:443",
					"zone-token-scope": ["predix-event-hub.zones.<Predix-Zone-Id>.user", "predix-event-hub.zones.<Predix-Zone-Id>.grpc.subscribe"]
				}],
				"zone-http-header-name": "Predix-Zone-Id",
				"zone-http-header-value": "<Predix-Zone-Id>"
			}
		},
		"label": "predix-event-hub",
		"name": "sample-event-hub-app",
		"plan": "Beta",
		"provider": null,
		"syslog_drain_url": null,
		"tags": ["predix-event-hub", "eventhub", "event hub"]
	}]
}

Creating an OAuth2 Client

You can create OAuth2 clients with specific permissions for your application to work with Predix Platform services. Often this is the first step after creating an instance of a service.

About This Task

When you create an instance of UAA, the UAA Dashboard is available for configuring that instance of UAA. You can use the Client Management tab in the UAA Dashboard to create the OAuth2 clients.

If you are prefer using the UAA command-line interface (UAAC) instead of UAA Dashboard to create an OAuth2 client, see uaas-managing-clients.html#task_sp2_zvk_rdb

Procedure

In the Predix.io Console view, select the Space where your services are located.
In the Services Instances page, select the UAA instance to configure.
Select the Configure Service Instance option.
In the UAA Dashboard login page, specify your admin client secret and click Login.
In UAA Dashboard, select the Client Management tab.
The Client Management tab has two views, Clients and Services . The Services view displays the service instances that you have created for your services.
Note: The service instances displayed in the Services view were created while using the UAA that you are trying to configure. Service instances that you created using other UAA instances are not displayed on this page.
Click Create Client to open the Create Client form.

Complete the Create Client form.


Field	Description
Client ID	Specify a name for the OAuth2 client you are creating.
Authorized Grant Types	Choose one or more of the following grant types: authorization_code When you use the authorization code grant type, the client directs the resource owner to UAA, which in turn directs the resource owner back to the client with the authorization code. client_credentials When you use the client credentials grant type, the OAuth2 endpoint in UAA accepts the client ID and client secret and provides Access Tokens. password When you use the resource owner password credentials grant type, the OAuth2 endpoint in UAA accepts the username and password and provides Access Tokens. refresh_token The refresh tokens are credentials used to obtain access tokens. You can choose this option to obtain refresh token from UAA. You can then use the refresh token to obtain a new access token from UAA when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope. implicit When you use the implicit grant type, UAA directly issues an Access Token to the client without authenticating the client. This reduces the number of round trips required to obtain an access token. For more information on grant types, see RFC 6749.
Client Secret	Specify the password. It is important that you keep a note of this password. If lost, this password cannot be retrieved.
Confirm Client Secret	Reenter the client secret.
Redirect URI	Specify a redirect URI to redirect the client after login or logout (for example, `http://example-app.com/callback`). Use this URI when you start using UAA as the service provider for your external Identity provider. UAA uses the value of Redirect URI for `/oauth/authorize` and `/logout` endpoints. You must specify a Redirect URI value if you use the Authorization Code or Implicit authorization grant type. When you use the Authorization Code grant type, the Redirect URI is your application's endpoint or callback that expects user authorization code. When you use the Implicit grant type, the Redirect URI is the end point where UAA sends the bearer token. Unique Resource Identifier consists of: Access Protocol, `http` or `https` Domain or IP address Access Port such as 80 or 443 Path If you have a specific URL for your application callback, you can use that to set the Redirect URI value for the related client. For example, `https://your-app-domain.run.aws-usw02-pr.ice.predix.io/path1/path2/callback`. You can specify multiple values for Redirect URI as a list of allowed destinations that UAA server can redirect the users. For example, `https://yourappdomain1.run.aws-usw02-pr.ice.predix.io/path1/path2/callback`, `https://yourappdomain2.run.aws-usw02-pr.ice.predix.io/path1/path2/callback`. If the subdomain of your application is dynamic, you can set the value of Redirect URI using wilcards. For example, `https://.your-app-domain.run.aws-usw02-pr.ice.predix.io/path1/path2/callback`. Note: You must only use ‘’ for a domain that is exclusive to your application (Such as `your-app-domain` in example above). This prevents the redirect to be routed to an application that you do not own. You cannot use `*` in the top domain and sub domain (such as `predix.io` in the example above).
Scopes	Scopes are permissions associated with an OAuth Client to determine user access to a resource through an application. The user permissions are for authorization grant types `authorization_code`, `password` and `implicit`. By default, the admin client is assigned all required scopes. For a new client, an administrator can select the scopes to be added based on client requirements. For a list of available scopes, see Scopes Authorized by the UAA. To use an OAuth2 client for your Predix Platform service instance, you must update your OAuth2 client to add scopes that are specific to each service after adding the client to the service instance.
Authorities	Authorities are permissions associated with the OAuth Client when an application or API is acting on its own behalf to access a resource with its own credentials, without user involvement. The permissions are for the `client_credentials` authorization grant type. By default, the admin client is assigned all required authorities. For a new client, an administrator can select the authorities to be added based on client requirements. The list of authorities matches the list of scopes. For a list of available UAA scopes, see Scopes Authorized by the UAA. To use an OAuth2 client for your Predix Platform service instance, you must update your OAuth2 client to add authorities that are specific to each service after adding the client to the service instance. Note: An admin client is not assigned the default authority to change the user password. To change the user password, you must add the `uaa.admin` authority to your admin client.
Auto Approved Scopes	Specify scopes that can be approved automatically for the client without explicit approval from a resource owner.
Allowed Providers	Specifies the names of the external identity providers, if any. This field is required if you are using external identity providers with UAA as a service provider.
Access Token Validity	Specifies the access-token expiration time in ms.
Refresh Token Validity	Specifies the refresh-token expiration time in ms.

What To Do Next

uaas-managing-clients.html#task_k3h_k2c_1x for your service specific information.

Updating the OAuth2 Client for Services

To use an OAuth2 client for secure access to your Predix Platform service instance from your application, you must update your OAuth2 client to add additional authorities or scopes that are specific to each service.

About This Task

To enable your application to access a platform service, your JSON Web Token (JWT) must contain the scopes required for a platform service. For example, some of the scope required for Access Control service are acs.policies.read acs.policies.write.

The OAuth2 client uses an authorization grant to request an access token. Based on the type of authorization grant that you have used, you must update your OAuth2 client to generate the required JWT. For more information on how the OAuth2 client is created, see Creating OAuth2 client.

If you use the UAA Dashboard to create additional clients, the client is created for the default client_credentials grant type. Some required authorities and scopes are automatically added to the client. You must add additional authorities or scopes that are specific to each service.

In addition, the admin client is not assigned the default authority to change the user password. To change the user password, you must add the uaa.admin authority to your admin client.

Use the following procedure to update the OAuth2 client.

Procedure

In the Console view, select the Space where your services are located.
In the Services Instances page, select the UAA instance to configure.
Select the Configure Service Instance option.
In the UAA Dashboard login page, specify your admin client secret and click Login.
In UAA Dashboard, select the Client Management tab.
The Client Management tab has two views, Clients and Services. The Services view displays the service instances that you have created for your services.
Note: The service instances displayed in the Services view are the instances that you created using the UAA that you are trying to configure. The service instances that you created using some other UAA instance are not displayed on this page.
Select the Switch to Services View option.
In the Services view, select the service that you need to update.
Choose an existing client or choose the Create a new client option. If you chose to create a new client, follow the steps in uaas-managing-clients.html#task_79a81b74-552e-4f74-abfc-bd37e6adac87.
Click Submit.
Click on the Switch to Clients View option.
In the Clients view, click the edit icon corresponding to the client added in the previous step.

Complete the Edit Client form.


Field	Description
Authorized Grant Types	Choose one or more of the following grant types: authorization_code When you use the authorization code grant type, the client directs the resource owner to UAA, which in turn directs the resource owner back to the client with the authorization code. client_credentials When you use the client credentials grant type, the OAuth2 endpoint in UAA accepts the client ID and client secret and provides Access Tokens. password When you use the resource owner password credentials grant type, the OAuth2 endpoint in UAA accepts the username and password and provides Access Tokens. refresh_token The refresh tokens are credentials used to obtain access tokens. You can choose this option to obtain refresh token from UAA. You can then use the refresh token to obtain a new access token from UAA when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope. implicit When you use the implicit grant type, UAA directly issues an Access Token to the client without authenticating the client. This reduces the number of round trips required to obtain an access token. For more information on grant types, see RFC 6749.
Redirect URI	Specify a redirect URI to redirect the client after login (for example, `http://example-app.com/welcome`). This URI is used when you start using UAA as service provider for your external Identify provider.
Scopes	By default, the client is assigned a few required scopes. For a new client, an administrator can select the scopes to be added based on the selected grant type. If you select the `authorization_code`, `password` and `implicit` grant type, you must update the scopes with service specific scopes. For a complete list of required scopes, see uaas-managing-clients.html#reference_ec1_t3d_bx. For a list of available UAA scopes, see Scopes Authorized by the UAA.
Authorities	By default, the client is assigned a few required authorities. For a new client, an administrator can select the authorities to be added based on the selected grant type. If you select the `client_credentials` grant type, you must update the authorities with service specific authorities. For a complete list of scopes to be added for each service, see uaas-managing-clients.html#reference_ec1_t3d_bx. For a list of available UAA authorities, see Scopes Authorized by the UAA.
Auto Approved Scopes	Specify scopes that can be approved automatically for the client without explicit approval from the resource owner.
Allowed Providers	Specify the names of the external identity providers, if any. This field is required if you are using external identity providers with UAA as a service provider.
Access Token Validity	Specifies the access token expiration time in ms.
Refresh Token Validity	Specifies the refresh token expiration time in ms.

What To Do Next

You can complete the following additional tasks in UAA Dashboard:

If you are using authorization grant type as Authorization Code, Implicit, or Resource Owner Password, you can manage users in UAA.
You can create password policies for user passwords.
You can set up external identity provider or use UAA as an identity provider. See Managing Identity Providers.

If you have completed your OAuth2 client setup, you can bind your application to your service instance.

Adding the Required Authorities or Scopes for Event Hub

Enable applications to access Event Hub by adding the Predix zone scopes.

About This Task

When you create a new OAuth2 client, the client is assigned default scopes and authorities. You must add additional authorities or scopes that are specific to each service. To enable applications to access the Event Hub service, your JSON Web Token (JWT) must contain the correct Predix zone token scopes.

Procedure

Update your OAuth2 client with the following zone token scopes for publish:

The below example shows publish zone token scopes from VCAP credentials for publishing using the WebSocket protocol:

"zone-token-scopes":[  
                     "predix-event-hub.zones.<Predix-Zone-Id>.user",
                     "predix-event-hub.zones.<Predix-Zone-Id>.wss.publish"
                  ]

uaac client update [client_name] 
    --authorities "uaa.resource predix-event-hub.zones.<Predix-Zone-Id>.user predix-event-hub.zones.<Predix-Zone-Id>.wss.publish" 
    --scope "uaa.resource predix-event-hub.zones.<Predix-Zone-Id>.user predix-event-hub.zones.<Predix-Zone-Id>.wss.publish"

The following example shows publish zone-token scopes from VCAP credentials for publishing using gRPC:

"zone-token-scopes":[  
                     "predix-event-hub.zones.<Predix-Zone-Id>.user",
                     "predix-event-hub.zones.<Predix-Zone-Id>.grpc.publish"
                  ]

uaac client update [client_name] 
    --authorities "uaa.resource predix-event-hub.zones.<Predix-Zone-Id>.user predix-event-hub.zones.<Predix-Zone-Id>.grpc.publish" 
    --scope "uaa.resource predix-event-hub.zones.<Predix-Zone-Id>.user predix-event-hub.zones.<Predix-Zone-Id>.grpc.publish"

Update your OAuth2 client with the following zone token scopes for subscribe.

The below example shows subscribe zone-token-scopes from VCAP credentials:

"zone-token-scopes":[  
                     "predix-event-hub.zones.<Predix-Zone-Id>.user",
                     "predix-event-hub.zones.<Predix-Zone-Id>.grpc.subscribe"
                  ]

uaac client update [client_name] 
    --authorities "uaa.resource predix-event-hub.zones.<Predix-Zone-Id>.user predix-event-hub.zones.<Predix-Zone-Id>.grpc.subscribe" 
    --scope "uaa.resource predix-event-hub.zones.<Predix-Zone-Id>.user predix-event-hub.zones.<Predix-Zone-Id>.grpc.subscribe"

Setting up Your Application to Access Event Hub

Procedure

To add zone token scopes to a server-side application:
1. Create two Oauth clients (one for publishing and one for subscribing) on any of the trusted issuers that were provided when you created the service instance.
2. Add the publish zone token scopes from the VCAP credentials for the respective clients to their authorities.
  The following example displays publish zone token scopes from VCAP credentials for publishing using the WebSocket protocol:
```
"zone-token-scopes":[  
                     "predix-event-hub.zones.<Predix-Zone-Id>.user",
                     "predix-event-hub.zones.<Predix-Zone-Id>.wss.publish"
                  ]
```
  The following example shows publish zone-token scopes from VCAP credentials for publishing using GRPC:
```
"zone-token-scopes":[  
                     "predix-event-hub.zones.<Predix-Zone-Id>.user",
                     "predix-event-hub.zones.<Predix-Zone-Id>.grpc.publish"
                  ]
```
3. Add the subscribe zone token scopes from the VCAP credentials for the respective clients to their authorities.
  The below example shows subscribe zone-token-scopes from VCAP credentials:
```
"zone-token-scopes":[  
                     "predix-event-hub.zones.<Predix-Zone-Id>.user",
                     "predix-event-hub.zones.<Predix-Zone-Id>.grpc.subscribe"
                  ]
```

To add zone token scopes to a single-page web application that uses client-side JavaScript to consume the Event Hub service instance:

Create two user groups for both publishing and subscribing.

Add the user who needs access to the application to the appropriate groups for publish and subscribe.

For example, for publishing over WebSocket, create two groups with the following names:

"zone-token-scopes":[  
                     "predix-event-hub.zones.<Predix-Zone-Id>.user",
                     "predix-event-hub.zones.<Predix-Zone-Id>.wss.publish"
                  ]

For publishing over gRPC, create two groups with the following names:

"zone-token-scopes":[  
                     "predix-event-hub.zones.<Predix-Zone-Id>.user",
                     "predix-event-hub.zones.<Predix-Zone-Id>.grpc.publish"
                  ]

For subscribers, create two groups with the following names:

"zone-token-scopes":[  
                     "predix-event-hub.zones.<Predix-Zone-Id>.user",
                     "predix-event-hub.zones.<Predix-Zone-Id>.grpc.subscribe"
                  ]

You must also update your OAuth client scopes with the respective zone token scopes.

See uaas-managing-clients.html#task_79a81b74-552e-4f74-abfc-bd37e6adac87 and uaas-managing-users.html#task_lrr_n5w_fs.

Setting Up a gRPC Client

To publish or subscribe to messages in Event Hub by using gRPC, you must first create a client that can call the publishing and subscribing methods on Event Hub.

Procedure

Create the client stub.

gRPC client initialization varies depending on the language you are working with. You can review the gRPC tutorial for your chosen language at http://www.grpc.io/docs/tutorials/. For information on setting up gRPC with C++, see ehs-getting-started.html#task_3a498117-6e49-4187-8f94-420571a1ef3c.

For example, in Go, you can connect toEvent Hub by creating a client connection like the following:

conn, err := grpc.Dial(target, options)

Note: You must dial the gRPC connection using TLS, as it is enabled with server authentication in Event Hub. See the guide at http://www.grpc.io/docs/guides/auth.html to see how this can be done for the language you are using.

When dialing a gRPC connection, use the publish and subscribe URIs from the environment variables for your application as the target.

You can find the publish and subscribe URIs in the VCAP environment variables. To see the VCAP environment variables, enter the following command:

cf env <application_name>

The VCAP environment variables are returned to you, using a format similar to the following example:

"VCAP_SERVICES": {
	"predix-event-hub-service-instance": [{
		"credentials": {
			"publish": {
				"protocol_details": [{
					"protocol": "grpc",
					"uri": "eventhub.<cf_host>:443",
					"zone-token-scope": ["predix-event-hub.zones.<Predix-Zone-Id>.user", "predix-event-hub.zones.<Predix-Zone-Id>.grpc.publish"]
				}, {
					"protocol": "wss",
					"uri": "wss://eventhub.<cf_host>/v1/stream/messages/",
					"zone-token-scope": ["predix-event-hub.zones.<Predix-Zone-Id>.user", "predix-event-hub.zones.<Predix-Zone-Id>.wss.publish"]

				}],
				"zone-http-header-name": "Predix-Zone-Id",
				"zone-http-header-value": "<Predix-Zone-Id>"
			},
			"subscribe": {
				"protocol_details": [{
					"protocol": "grpc",
					"uri": "eventhub.<cf_host>:443",
					"zone-token-scope": ["predix-event-hub.zones.<Predix-Zone-Id>.user", "predix-event-hub.zones.<Predix-Zone-Id>.grpc.subscribe"]
				}],
				"zone-http-header-name": "Predix-Zone-Id",
				"zone-http-header-value": "<Predix-Zone-Id>"
			}
		},
		"label": "predix-event-hub",
		"name": "sample-event-hub-app",
		"plan": "Beta",
		"provider": null,
		"syslog_drain_url": null,
		"tags": ["predix-event-hub", "eventhub", "event hub"]
	}]
}

Before publishing or subscribing to messages, you must send the following metadata from the client to Event Hub.
```
authorization: <OAuth2 token from UAA instance trusted issuer> 
predix-zone-id: <Predix-Zone-Id>  (same as service instance id and topic) 
content-type: application/grpc
```
The way you get your OAuth2 token depends on the kind of authorization grant type you are using. See Using UAA to Obtain OAuth2 Access Tokens for more information. If you are unsure of what authorization grant type you should use, you should obtain a token using the client credentials grant. See uaas-understanding.html#concept_ybx_dtv_hv.

Note: HTTP/2 does not support capitalization in header keys, so Authorization does not work. Use authorization instead.

The way this data is sent varies according to language type. For example, in Go, on an open client connection you can create a NewPublisherClient/NewSubscriberClient instance and send content in the form of a Context type with metadata added to the Context type.

Setting Up gRPC Clients With C++

To set up Event Hub integration with gRPC by using C++, you create separate publish and subscribe clients.

Before You Begin

Gather the following information:

The Predix zone ID and URI for your Event Hub service instance.
You can find this information in the environment variables for your Event Hub service instance.
The OAuth2 token for your UAA service instance.
For instructions on how to retrieve this information, see uaas-managing-tokens.html#task_fc103b60-f030-4e50-a965-9394c1f76cd0

Procedure

To create a publishing client, use the following code:

std::shared_ptr<Channel> channel = grpc::CreateChannel(event_hub_uri, grpc::SslCredentials(grpc::SslCredentialsOptions()));
std::unique_ptr< Publisher::Stub>stub = Publisher::NewStub(channel);

context.AddMetadata("authorization", oauth_token);
context.AddMetadata("predix-zone-id", predix_zone_id);
context.AddMetadata("content-type", "application/grpc");

std::shared_ptr<grpc::ClientReaderWriter<PublishRequest, PublishResponse>> temp(stub->send(&context));

For details on how to create and publish messages by using C++, see ehs-using-service.html#task_e32ebf7e-1759-4709-bb05-aa60ce6b3d04.

To create a subscribing client, use the following code:

// Obtain credentials from environment variables
char *oauth_token = std::getenv("OAUTH_TOKEN");
char *predix_zone_id = std::getenv("PREDIX_ZONE_ID");
char *event_hub_uri = std::getenv("EVENT_HUB_URI");

// Create channel and stub with metadata
auto channel = grpc::CreateChannel(event_hub_uri, grpc::SslCredentials(grpc::SslCredentialsOptions()));
auto stub = Subscriber::NewStub(channel);
grpc::ClientContext context;
context.AddMetadata("authorization", oauth_token);
context.AddMetadata("predix-zone-id", predix_zone_id);
context.AddMetadata("content-type", "application/grpc");

For details on how to subscribe to messages by using C++, see ehs-using-service.html#task_acba53ef-a959-4dc4-b197-74a9eb5d70bf.