Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 8.0 LTS - REST API Reference Guide

Introduction Using the SPS REST API Basic settings User management and access control Managing SPS General connection settings HTTP connections Citrix ICA connections MSSQL connections RDP connections SSH connections Telnet connections VNC connections Search, retrieve, download, and index sessions Reporting Health and maintenance Advanced authentication and authorization Completing the Welcome Wizard using REST Enable and configure analytics using REST REST API examples

Reviewing the changelog of a transaction

To review your changes, retrieve the changelog of the transaction. For details about the transaction model of SPS, see How to configure SPS using REST.

URL
GET https:<IP-address-of-SPS>/api/transaction/changes
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Sample request

The following command retrieves the changelog of the transaction.

curl --cookie cookies.txt https://<IP-address-of-SPS>/api/transaction/changes
Response

The response contains the list of changes performed in the transaction, as list of JSON objects. Every change has a type and a path, other elements depend on the type of the transaction. For example, when you delete an object, the changelog includes the deleted object in the old_value field.

Element Type Description
new_order list The new order of a list after the change. This field is available for reorder transactions.
new_value string or JSON object The value of the object after the change. For example, the new value of a parameter.
old_order string or JSON object The order of a list before the change. This field is available for reorder transactions.
old_value string or JSON object The value of the object before the change. For example, the value of a deleted object.
path string Path of the changed endpoint or object.
type string The type of the change. One of: create, delete, reorder, replace

The following is a sample response received if the changelog is empty.

{
  "meta": {
    "href": "/api/transaction/changes",
    "parent": "/api/transaction",
    "transaction": "/api/transaction"
  },
  "changes": []
}

The following is a sample changelog received after deleting a Channel policy.

{
  "meta": {
    "href": "/api/transaction/changes",
    "parent": "/api/transaction",
    "transaction": "/api/transaction"
  },
  "changes": [
    {
      "old_value": {
        "name": "deny",
        "rules": []
      },
      "path": "/api/configuration/ssh/channel_policies/94615110156697e93121f3",
      "type": "delete"
    }
  ]
}
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
200 OK Transaction changelog has been retrieved successfully.
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
405 MethodNotAllowed You tried using an unsupported HTTP method. Use the GET method to retrieve the changelog a transaction.

Defaults query parameter

You can use the ?defaults query parameter to get information about all default configuration values under /api/configuration. You can include this parameter in either a POST or a PUT request with a partial request body which contains only a few configuration fields. Then the API will respond with a configuration object which shows how the API would complete the partial request body with default values.

URL
https://<IP-address-of-SPS>/api/configuration/example?defaults
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Operations

HTTP method

URL

Description

Notes

POST

/api/configuration/example?defaults

Listing the default parameters of a resource before creating it

 

PUT

/api/configuration/example/resource?defaults

Listing the default parameters of a resource before modifying it

 

Sample request

Querying the default values for singleton resources, for example syslog servers request.

curl --cookie cookies.txt --request PUT --data '@-' https://<IP-address-of-SPS>/api/configuration/management/syslog?defaults <<'REQUEST'
{
    "receivers": [
        {}
    ]
}
REQUEST
Sample response
{
    "body": {
        "encryption": {
            "client_authentication": null,
            "trust_store": null
        },
        "include_node_id": true,
        "receivers": [
            {
                "address": {
                    "selection": "ip",
                    "value": "127.0.0.1"
                },
                "port": 1,
                "protocol": {
                    "ip_protocol": "tcp",
                    "protocol_type": "legacy-bsd",
                    "tls_enabled": false
                }
            }
        ]
    },
    "key": "syslog",
    "meta": {
        "first": "/api/configuration/management/accounting",
        "href": "/api/configuration/management/syslog",
        "last": "/api/configuration/management/web_gateway_authentication",
        "next": "/api/configuration/management/system_backup",
        "parent": "/api/configuration/management",
        "previous": "/api/configuration/management/support_info",
        "transaction": "/api/transaction"
    }
}

For more information on syslog servers, see Syslog server settings.

For more information on the meta object, see Message format.

Sample request

Querying defaults for objects in a container, for example SSH authentication policies.

curl --cookie cookies.txt --request POST --data '@-' https://<IP-address-of-SPS>/api/configuration/ssh/authentication_policies?defaults <<'REQUEST'
{
    "backend": {
        "selection": "radius"
    }
}
REQUEST
Sample response
{
    "body": {
        "backend": {
            "authentication_protocol": "pap",
            "selection": "radius",
            "servers": [
                {
                    "address": {
                        "selection": "ip",
                        "value": "127.0.0.1"
                    },
                    "port": 1,
                    "shared_secret": {
                        "key": "",
                        "meta": {
                            "href": "/api/configuration/passwords"
                        }
                    }
                }
            ]
        },
        "gateway_methods": {
            "kerberos": false,
            "password": false,
            "public_key": false
        },
        "name": "unknown",
        "relayed_methods": {
            "kerberos": false,
            "keyboard_interactive": true,
            "password": true,
            "public_key": {
                "selection": "agent"
            }
        }
    },
    "key": "",
    "meta": {
        "first": "/api/configuration/ssh/authentication_policies",
        "href": "/api/configuration/ssh/authentication_policies",
        "last": "/api/configuration/ssh/settings_policies",
        "next": "/api/configuration/ssh/channel_policies",
        "parent": "/api/configuration/ssh",
        "previous": null,
        "transaction": "/api/transaction"
    }
}

For more information on SSH authentication policies, see SSH authentication policies.

For more information on the meta object, see Message format.

Application level error codes

In addition to the standard HTTP status codes, in certain cases, the SPS REST server provides additional information in the response about the error. The following table contains a brief description of such errors. For more details, see the error object in the response body.

Code Description Notes
400 InvalidRequestBody The request body sent by the user has an invalid format. This may be an error with the encoding or the body is not a properly encoded JSON value.
400 ConfigTreeNotAvailable An error occurred while preparing the configuration tree for the REST API.
400 SyntacticError A value to be set is not accepted syntactically. The details section contains the path that was found to be invalid.
400 InvalidPath The path provided by the client contains a syntax error. Path components are restricted to contain only lowercase alphanumeric characters, the dash (-) and the underscore (_) characters. The details section contains the path that was attempted to be accessed, but could not be retrieved.
400 SemanticError The configuration contains semantic errors, inconsistencies or other problems that would put the system into an unreliable state if the configuration had been applied. The details section contains the errors that were found in the configuration.
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
401 AuthenticationFailure Authenticating the user with the given credentials has failed.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
404 NodeNotFound The requested endpoint does not exist in the configuration. The details section contains the path that you tried to access, but could not be retrieved.
404 NodeNotAvailable The requested endpoint exists in the configuration, however, it is not available directly. The details section contains the path that you tried to access, but could not be retrieved.
404 NotFound The queried user does not exist in the database.
405 MethodNotAllowed An attempt was made to change a configuration subtree in an unsupported way. The method <method> is not allowed for this node.
409 MidAirCollisionSemanticError This error occurs when the configuration has been changed by another client between starting and committing a transaction, and the changes in the transaction would interfere semantically with the changes of that other user. The recommended strategy to resolve this error is to review the changes made in the failing transaction, then roll it back, start a new transaction, redo the changes, and finally, commit the new transaction.
409 WebGuiOrConsoleConfigInProgress The configuration of SPS is locked. Committing a new transaction is not allowed while another user is modifying configuration through interfaces other than the REST API. For example, web GUI, console, and so on.
409 MidAirCollision This error occurs when the configuration has been changed by another client between starting and committing a transaction, and the changes in the transaction would overwrite or interfere with the changes of that other user. The recommended strategy to resolve this error is to review the changes made in the failing transaction, then roll it back, start a new transaction, redo the changes, and finally, commit the new transaction.
409 NoTransaction An attempt was made to change the configuration when no transaction was open.
409 DoubleTransaction This error is returned when the client attempts to open a transaction while another transaction of that client is already started.
417 Expectation Failed

If you receive the "417 - Expectation Failed" error code when using curl, use curl with the --http1.0 or the -H "Expect:" option.

500 CommitMessageMissing This error is returned when a commit message is required for committing a transaction, but it was not provided in the commit request.
500 TransactionCommitError Unexpected internal errors during committing a transaction are interpreted as TransactionCommitError.
500 AuthorizationError The request could not be authorized due to an unexpected internal error.

Navigating the configuration of SPS

HATEOAS navigation links

The main starting point of navigating the SPS configuration using REST is the https:<IP-address-of-SPS>/api/configuration endpoint. If you query this endpoint, the response contains a list of other endpoints that you can follow to list the various resources of SPS, or to list the objects of a specific resource. For example, https:<IP-address-of-SPS>/api/configuration/rdp lists resources related to controlling the Remote Desktop (RDP) protocol, while https:<IP-address-of-SPS>/api/configuration/rdp/channel_policies lists the available RDP Channel Policies.

Note that when you want to create an object that references another object (for example, a Channel Policy that uses a Content Policy), then the referenced object (in this case, the Content Policy) must already exist. For details, see Create a new object.

To modify or delete an object, you need the ID of the object. For details, see Change an object and Delete an object.

The following is a sample command to query the https:<IP-address-of-SPS>/api/configuration endpoint, and a sample response.

curl --cookie cookies.txt https:<IP-address-of-SPS>/api/configuration

Response status: 200
--- BEGIN RESPONSE BODY ---
{
  "meta": {
    "first": "/api/configuration",
    "href": "/api/configuration",
    "last": "/api/configuration",
    "next": null,
    "parent": null,
    "previous": null,
    "transaction": "/api/transaction"
  },
  "items": [
    {
      "key": "aaa",
      "meta": {
        "href": "/api/configuration/aaa"
      }
    },
    {
      "key": "alerting",
      "meta": {
        "href": "/api/configuration/alerting"
      }
    },
    {
      "key": "datetime",
      "meta": {
        "href": "/api/configuration/datetime"
      }
    },
    {
      "key": "http",
      "meta": {
        "href": "/api/configuration/http"
      }
    },
    {
      "key": "ica",
      "meta": {
        "href": "/api/configuration/ica"
      }
    },
    {
      "key": "local_services",
      "meta": {
        "href": "/api/configuration/local_services"
      }
    },
    {
      "key": "management",
      "meta": {
        "href": "/api/configuration/management"
      }
    },
    {
      "key": "network",
      "meta": {
        "href": "/api/configuration/network"
      }
    },
    {
      "key": "passwords",
      "meta": {
        "href": "/api/configuration/passwords"
      }
    },
    {
      "key": "plugins",
      "meta": {
        "href": "/api/configuration/plugins"
      }
    },
    {
      "key": "policies",
      "meta": {
        "href": "/api/configuration/policies"
      }
    },
    {
      "key": "private_keys",
      "meta": {
        "href": "/api/configuration/private_keys"
      }
    },
    {
      "key": "rdp",
      "meta": {
        "href": "/api/configuration/rdp"
      }
    },
    {
      "key": "reporting",
      "meta": {
        "href": "/api/configuration/reporting"
      }
    },
    {
      "key": "ssh",
      "meta": {
        "href": "/api/configuration/ssh"
      }
    },
    {
      "key": "telnet",
      "meta": {
        "href": "/api/configuration/telnet"
      }
    },
    {
      "key": "troubleshooting",
      "meta": {
        "href": "/api/configuration/troubleshooting"
      }
    },
    {
      "key": "trust_stores",
      "meta": {
        "href": "/api/configuration/trust_stores"
      }
    },
    {
      "key": "vnc",
      "meta": {
        "href": "/api/configuration/vnc"
      }
    },
    {
      "key": "x509",
      "meta": {
        "href": "/api/configuration/x509"
      }
    }
  ]
}
--- END RESPONSE BODY ---
Schema of the REST API

The /api/schema provides an OpenAPI schema about the REST API endpoints under the /api/configuration path. You can fetch the /api/schema without authentication. The schema follows the OpenAPI 3.1 standard.

curl https://<IP-address-of-SPS>/api/schema > openapi-schema.json
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating