지금 지원 담당자와 채팅
지원 담당자와 채팅

One Identity Safeguard for Privileged Sessions 7.4 - REST API Reference Guide

Introduction Using the SPS REST API Basic settings User management and access control Managing SPS General connection settings HTTP connections Citrix ICA connections MSSQL connections RDP connections SSH connections Telnet connections VNC connections Search, retrieve, download, and index sessions Reporting Health and maintenance Advanced authentication and authorization Completing the Welcome Wizard using REST Enable and configure analytics using REST REST API examples

Navigating the configuration of SPS

HATEOAS navigation links

The main starting point of navigating the SPS configuration using REST is the https:<IP-address-of-SPS>/api/configuration endpoint. If you query this endpoint, the response contains a list of other endpoints that you can follow to list the various resources of SPS, or to list the objects of a specific resource. For example, https:<IP-address-of-SPS>/api/configuration/rdp lists resources related to controlling the Remote Desktop (RDP) protocol, while https:<IP-address-of-SPS>/api/configuration/rdp/channel_policies lists the available RDP Channel Policies.

Note that when you want to create an object that references another object (for example, a Channel Policy that uses a Content Policy), then the referenced object (in this case, the Content Policy) must already exist. For details, see Create a new object.

To modify or delete an object, you need the ID of the object. For details, see Change an object and Delete an object.

The following is a sample command to query the https:<IP-address-of-SPS>/api/configuration endpoint, and a sample response.

curl --cookie cookies https:<IP-address-of-SPS>/api/configuration

Response status: 200
--- BEGIN RESPONSE BODY ---
{
  "meta": {
    "first": "/api/configuration",
    "href": "/api/configuration",
    "last": "/api/configuration",
    "next": null,
    "parent": null,
    "previous": null,
    "transaction": "/api/transaction"
  },
  "items": [
    {
      "key": "aaa",
      "meta": {
        "href": "/api/configuration/aaa"
      }
    },
    {
      "key": "alerting",
      "meta": {
        "href": "/api/configuration/alerting"
      }
    },
    {
      "key": "datetime",
      "meta": {
        "href": "/api/configuration/datetime"
      }
    },
    {
      "key": "http",
      "meta": {
        "href": "/api/configuration/http"
      }
    },
    {
      "key": "ica",
      "meta": {
        "href": "/api/configuration/ica"
      }
    },
    {
      "key": "local_services",
      "meta": {
        "href": "/api/configuration/local_services"
      }
    },
    {
      "key": "management",
      "meta": {
        "href": "/api/configuration/management"
      }
    },
    {
      "key": "network",
      "meta": {
        "href": "/api/configuration/network"
      }
    },
    {
      "key": "passwords",
      "meta": {
        "href": "/api/configuration/passwords"
      }
    },
    {
      "key": "plugins",
      "meta": {
        "href": "/api/configuration/plugins"
      }
    },
    {
      "key": "policies",
      "meta": {
        "href": "/api/configuration/policies"
      }
    },
    {
      "key": "private_keys",
      "meta": {
        "href": "/api/configuration/private_keys"
      }
    },
    {
      "key": "rdp",
      "meta": {
        "href": "/api/configuration/rdp"
      }
    },
    {
      "key": "reporting",
      "meta": {
        "href": "/api/configuration/reporting"
      }
    },
    {
      "key": "ssh",
      "meta": {
        "href": "/api/configuration/ssh"
      }
    },
    {
      "key": "telnet",
      "meta": {
        "href": "/api/configuration/telnet"
      }
    },
    {
      "key": "troubleshooting",
      "meta": {
        "href": "/api/configuration/troubleshooting"
      }
    },
    {
      "key": "trust_stores",
      "meta": {
        "href": "/api/configuration/trust_stores"
      }
    },
    {
      "key": "vnc",
      "meta": {
        "href": "/api/configuration/vnc"
      }
    },
    {
      "key": "x509",
      "meta": {
        "href": "/api/configuration/x509"
      }
    }
  ]
}
--- END RESPONSE BODY ---
Schema of the REST API

The /api/schema provides an OpenAPI schema about the REST API endpoints under the /api/configuration path. You can fetch the /api/schema without authentication. The schema follows the OpenAPI 3.1 standard.

curl https://<IP-address-of-SPS>/api/schema > openapi-schema.json

Modifying the configuration of SPS

The following sections describe deleting, creating and changing objects.

Delete an object

To delete a configuration object (for example, a policy), use a DELETE request with the ID of the object as the key.

  • You cannot delete policies or objects that are used in other policies (for example, you cannot delete a Time policy that is used in a Channel policy).

  • To delete an element of a list (for example, a user from a local user database), use a PUT request. The body the request should include the entire object, but remove the element you want to delete from the related list of the object.

  • You cannot delete built-in policies that are available on SPS by default.

  • You must commit your changes to take effect. For details, see Commit a transaction.

URL
DELETE https:<IP-address-of-SPS>/api/configuration/<endpoint>/<object-id>
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Sample request

The following command deletes an RDP Channel policy.

curl --cookie cookies -X DELETE -https:<IP-address-of-SPS>/api/configuration/rdp/channel_policies/<object-id>
Response

The following is a sample response received.

{
  "meta": {
    "first": "/api/configuration/rdp/channel_policies/-20100",
    "href": "/api/configuration/rdp/channel_policies/<id-of-the-deleted-object>",
    "last": "/api/configuration/rdp/channel_policies/<id-of-the-deleted-object>",
    "next": null,
    "parent": "/api/configuration/rdp/channel_policies",
    "previous": "/api/configuration/rdp/channel_policies/655555",
    "transaction": "/api/transaction"
  }
}
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
200 OK The resource was successfully deleted.
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
409 Conflict No open Transaction is available. Open a transaction before using this request. For details, see Open a transaction.

Create a new object

To create a new object (for example, a new policy), complete the following steps.

  1. Authenticate and open a transaction.

  2. Post the new object as a JSON object to the appropriate resource URL.

  3. If successful, the REST server creates an ID for the new object, and returns it in the key field of the response.

  4. Commit the transaction.

Note the following points when you create a request:

  • Note that you cannot simply use the JSON from the response of a similar object. If the object contains references to other resources (for example, a Channel policy references a Time policy), then the JSON object contains an embedded meta object. To get a valid JSON that you can use, you have to replace this embedded object with the ID (key) of the referenced object. For example, the following is a reference to a Time policy:

    "time_policy": {
            "key": "-100",
            "meta": {
                "href": "/api/configuration/policies/time_policies/-100"
            }
        }

    In a POST or PUT request, you have to change it to the following:

    "time_policy": "-100",

    Starting with version 6.1.0, when querying a list of objects, the API response includes the body of the referenced objects as well, not only its reference key, but only if they are immediate child nodes.

  • You have to include empty fields in the object as well, for example:

    "users": [
            { "certificates": [], "passwords": [ "<reference-to-password>" ], "public_keys": [], "username": "myusername" }
            ]
  • The API ignores any unrecognized or nonexistent keys that appear in the body of POST and PUT requests. For example, if you mistype the name of an optional key, it will be silently ignored.

  • The body wrapper that is displayed in the response is not needed when you create or modify an object, for example:

    {
        "name": "my-local-user-database",
        "users": [
            { "certificates": [], "passwords": [ "<reference-to-password>" ], "public_keys": [], "username": "myusername" }
            ]
    }
URL
POST https:<IP-address-of-SPS>/api/configuration/<path-to-the-parent-resource>
Table 1: Headers
Header name Description Required Values
Content-Type Specifies the type of the data sent. SPS uses the JSON format Required application/json
session_id Contains the authentication token of the user Required The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API.
Sample request

The following command creates a new RDP Channel policy. The data content of the request is read from the file body.json

curl -H "Content-Type: application/json" -d @body.json --cookie session_id=1aca4793549c6f22aecd98bc1047d1bf32dd76ef -X POST https://<object-id>/api/configuration/rdp/channel_policies/

For a simple RDP Channel policy that uses the default settings and allows only the Drawing channel, the JSON object is the following.

{
  "name": "drawing-only",
  "rules": [
    {
      "actions": {
        "audit": true,
        "content_policy": null,
        "four_eyes": false,
        "ids": false
      },
      "allowed_for": {
        "clients": [],
        "gateway_groups": [],
        "remote_groups": [],
        "servers": [],
        "time_policy": "-100"
      },
      "channel": "#drawing"
    }
  ]
}
Response

The following is a sample response received, showing the properties of Content policy objects.

For more information on the meta object, see Message format.

{
  "key": "f79bcc85-bb8b-4fa5-a141-eb4cf2b6ef33",
  "meta": {
    "href": "/api/configuration/rdp/channel_policies/f79bcc85-bb8b-4fa5-a141-eb4cf2b6ef33",
    "parent": "/api/configuration/rdp/channel_policies",
    "transaction": "/api/transaction"
  }
}
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
201 Created The new resource was successfully created.
400 Bad Request The request body format is invalid. The data is not a properly formatted JSON object.
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
409 Conflict No open Transaction is available. Open a transaction before using this request. For details, see Open a transaction.
417 Expectation Failed

If you receive the "417 - Expectation Failed" error code when using curl, use curl with the --http1.0 or the -H "Expect:" option.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택