I want to access HP Helion cloud using Apache jclouds 1.8.0 (via the Apache Brooklyn project) and the configuration I used previously no longer works. The documentation suggests I use the same username and password as the console but this gives me an HTTP 401 authentication error.

The POST data being sent is recorded in the logs, and looks like this (with the formatted and username/password redacted):

{
  "auth":{
    "apiAccessKeyCredentials":{"accessKey":"user@example.org","secretKey":"XXXXXXXX"},
    "tenantName":"user@example.org.com-tenant1"
  }
}

My configuration for jclouds consists of setting the identity and credential as follows:

identity = user@example.org-tenant1:user@example.org
credential = XXXXXXXX

The exception trace was as follows:

java.lang.IllegalStateException: Not authorized to access cloud JcloudsLocation[HP Helion (US East):user@example.org-tenant1:user@example.org] to resolve PortableTemplateBuilder[ports=[22], os=ubuntu, locationId=region-b.geo-1, osVersionRegex=12.04, is64bit=true, imageChooserFunction=brooklyn.location.jclouds.BrooklynImageChooser$3@5ec6379b, minRam=2048]
at brooklyn.location.jclouds.JcloudsLocation.buildTemplate(JcloudsLocation.java:1052) ~[brooklyn-locations-jclouds-0.7.0-20140817.024657-169.jar:0.7.0-SNAPSHOT]
Caused by: org.jclouds.rest.AuthorizationException: POST https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/tokens HTTP/1.1 -> HTTP/1.1 401 Unauthorized
at org.jclouds.openstack.nova.v2_0.handlers.NovaErrorHandler.handleError(NovaErrorHandler.java:93) ~[openstack-nova-1.8.0.jar:1.8.0]
Caused by: org.jclouds.http.HttpResponseException: request: POST https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/tokens HTTP/1.1  [{"auth":{"apiAccessKeyCredentials":{"accessKey":"user@example.org","secretKey":"XXXXXXXX"},"tenantName":"user@example.org-tenant1"}}] failed with response: HTTP/1.1 401 Unauthorized
at org.jclouds.openstack.nova.v2_0.handlers.NovaErrorHandler.handleError(NovaErrorHandler.java:78) ~[openstack-nova-1.8.0.jar:1.8.0]

As it turns out, there are a couple of issues with this. Firstly, there was a change to the way jclouds worked in 1.8.0, documented in the release notes

Starting with 1.8.0, the HP Cloud Object Storage provider requires the region attribute to be specified explicitly. This attribute is now used to select the appropriate endpoint. If the region is not explicitly set, an arbitrary endpoint will be selected, which may differ from the endpoint chosen when using previous versions of jclouds.

This is not a problem for me, but I am now explicitly setting the region in the configuration anyway.

Secondly, after sending a few POST requests to the endpoint with different content, it seems that jclouds is using access key based authentication, rather that username and password authentication. So, after logging into the HP Helion console I selected Manage Access keys from the username drop down at the top of the page. I was then able to click Show Secret keys to reveal the access and secret key data I needed. It might require creation of a new key if the existing ones have expired, but I didn't need to do that. then, I just had to change the jclouds identity and credential data to fit:

identity = user@example.org-tenant1:ACCESSKEYDATA
credential = SECRETKEYDATA

This allows the jclouds API to connect and create VMs successfully.

Finally, I had to configure the region name as part of the location descriptor for Brooklyn, but other jclouds applications may do this differently:

brooklyn.location.named.hpcloud-west = jclouds:hpcloud-compute
brooklyn.location.named.hpcloud-west.region = region-a.geo-1
brooklyn.location.named.hpcloud-west.displayName = HP Helion (US West)