One Identity Safeguard for Privileged Sessions 5.7.0 - REST API Reference Guide

Manage the Safeguard for Privileged Sessions license

You can display information about the currently used Safeguard for Privileged Sessions license from the https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/management/license endpoint.

The following encryption algorithms are configured on the local SSH service of Safeguard for Privileged Sessions:

• Key exchange (KEX) algorithms:

  diffie-hellman-group-exchange-sha256

• Ciphers:

  aes256-ctr,aes128-ctr

• Message authentication codes:

  hmac-sha2-512,hmac-sha2-256

URL

GET https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/management/license

Headers

Sample request

The following command lists the configuration options.

curl --cookie cookies -H "Content-Type: application/json" https://10.30.255.28/api/configuration/management/license

Response

The following is a sample response received. For details of the meta object, see Introduction.

{
    "body": {
        "customer": "Balabit",
        "limit": 5000,
        "limit_type": "host",
        "serial": "b937d212-db7d-0f2f-4c87-295e3c57024a",
        "valid_not_after": "2018-11-07",
        "valid_not_before": "2017-11-06"
    },
    "key": "license",
    "meta": {
        "first": "/api/configuration/management/certificates",
        "href": "/api/configuration/management/license",
        "last": "/api/configuration/management/webinterface",
        "next": "/api/configuration/management/root_password",
        "parent": "/api/configuration/management",
        "previous": "/api/configuration/management/health_monitoring",
        "remaining_seconds": 600,
        "transaction": "/api/transaction",
        "upload": "/api/upload/license"
    }
}

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Using the Safeguard for Privileged Sessions REST API.

Upload a new license

To upload a new license file, complete the following steps.

1. Download your license file from support portal.

2. Open a transaction.

   For details, see Open a transaction.

3. Upload the license file.

   Upload the file to the https://<IP-address-of-Safeguard for Privileged Sessions>/api/upload/license endpoint. For example:

   curl --cookie cookies -F 'data=@/path/license.txt' -H "Expect:" --insecure https://<IP-address-of-Safeguard for Privileged Sessions>/api/upload/license

4. Restart the traffic on Safeguard for Privileged Sessions.

   Safeguard for Privileged Sessions will not use the new license to ongoing sessions. For the new license to take full effect, you must restart all traffic on the Basic Settings > System > Traffic control page of the Safeguard for Privileged Sessions web interface.

   curl --cookie cookies -F 'data=@/path/license.txt' -H "Expect:" --insecure https://<IP-address-of-Safeguard for Privileged Sessions>/api/upload/license

5. Commit your changes.

   For details, see Commit a transaction.

Change contact information

The About page on the Safeguard for Privileged Sessions web interface and the /api/info endpoint contains various contact information. You can change this to a custom email address or URL.

URL

GET https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/management/support_info

Headers

Sample request

The following command lists the RPC API settings.

curl --cookie cookies https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/management/support_info

Response

The following is a sample response received when querying the endpoint. For details of the meta object, see Introduction.

{
    "body": {
        "uri": null
    },
    "key": "support_info",
    "meta": {
        "first": "/api/configuration/management/certificates",
        "href": "/api/configuration/management/support_info",
        "last": "/api/configuration/management/webinterface",
        "next": "/api/configuration/management/syslog",
        "parent": "/api/configuration/management",
        "previous": "/api/configuration/management/splunk_forwarder",
        "remaining_seconds": 600,
        "transaction": "/api/transaction"
    }

Change the support link

To change the support link, complete the following steps.

1. Open a transaction.

   For details, see Open a transaction.

2. PUT a JSON object containing the new support link.

   PUT a JSON object containing the new support link to the https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/management/support_info endpoint. For example:

   curl -X PUT -d '{"uri": { "selection": "mailto", "value": "mailto:support@example.com" } }' -H "Content-Type: application/json" --cookie cookies "https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/management/support_info"

   To use an HTTP or HTTPS link as contact info, use the following JSON object:

   {
     "uri": {
       "selection": "url",
       "value": "http://example.com"
      }
   }

   To use a email address as contact info, use the following JSON object:

   {
     "uri": {
       "selection": "mailto",
       "value": "mailto:support@example.com"
      }
   }

3. Commit your changes.

   For details, see Commit a transaction.

Splunk integration

Safeguard for Privileged Sessions can forward session data to Splunk near real-time. Using the Balabit Privileged Access Management application you can integrate this data with your other sources, and access all your data related to privileged user activities from a single interface. To configure Safeguard for Privileged Sessions to forward session data to Splunk, complete the following steps.

Prerequisites and restrictions:

• Safeguard for Privileged Sessions version 5 F5 or later

• Splunk version 6.5 or later

• Safeguard for Privileged Sessions does not send historical data to Splunk, only data from the sessions started after you complete this procedure.

URL

GET https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/management/splunk_forwarder

Headers

Sample request

The following command lists the endpoints for SNMP configuration settings.

curl --cookie cookies https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/management/splunk_forwarder

Response

The following is a sample response received when querying the endpoint. For details of the meta object, see Introduction.

{
"body": {
    "enabled": true,
    "flush_interval": 600,
    "host":
        { "selection": "fqdn", "value": "splunk.example.com" },
    "pam_address":
        { "selection": "fqdn", "value": "scb55tc.devel.balabit" },
    "port": 8088,
    "ssl":
        { "selection": "insecure" },
    "token": "2134356431"
    }
}

"host":
    { "selection": "fqdn", "value": "splunk.example.com" },

"host":
    { "selection": "ip", "value": "192.168.1.1" },

Configure Splunk forwarder

1. Install the Balabit Privileged Access Management application to your Splunk installation. This will automatically enable and configure the HTTP Event Collector (HEC) in your Splunk installation, and create an HTTP Event Collector authentication token ("HEC token") that Safeguard for Privileged Sessions will use.

   To help identify the source of the received data, the following settings are configured automatically in the Balabit Privileged Access Management application:

   • index:

     The Balabit Privileged Access Management application creates the index automatically. with the name balabit_events.

   • sourcetype:

     The source type of the events the SPS fowards is balabit:event.

2. On your Splunk interface, navigate to Settings > Data inputs > HTTP Event Collector. Copy the Token Value from the Balabit_HEC field. This is the HTTP Event Collector authentication token and you will need it when configuring Safeguard for Privileged Sessions.

3. Create the JSON object that configures Safeguard for Privileged Sessions to forward session data to Splunk.

   POST the JSON object to the https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/management/splunk_forwarder endpoint. You can find a detailed description of the available parameters listed in Splunk integration. For example,

   {
       "enabled": true,
       "flush_interval": 600,
       "host":
           { "selection": "fqdn", "value": "splunk.example.com" },
       "pam_address":
           { "selection": "fqdn", "value": "psm.example.com" },
       "port": 8088,
       "ssl":
           { "selection": "insecure" },
       "token": "2134356431"
   }

4. Commit your changes.

   For details, see Commit a transaction.

5. Splunk will display the data received from Safeguard for Privileged Sessions as it was received from the host set in the pam_address field. By default, this is the hostname and domain name of the Safeguard for Privileged Sessions appliance as set on the /api/configuration/network/naming endpoint. Adjust this field as needed for your environment.

6. Start a session that Safeguard for Privileged Sessions will audit to test your configuration, and verify that the data of the session appears in Splunk.

Manage Safeguard for Privileged Sessions clusters

When you have a set of two or more Safeguard for Privileged Sessions instances in your deployment, you have the possibility to join them into a cluster, and manage them from one central location. You can monitor their status and update their configuration centrally. This is achieved by assigning roles to the individual nodes in your cluster: you can set one of your Safeguard for Privileged Sessions nodes to be the Central Management node and the rest of the nodes are managed from this central node.

URL

GET https://<IP-address-of-any-node-in-cluster>/api/cluster

Headers

Sample request

The following command lists the endpoints available under the cluster endpoint.

curl --cookie cookies https://<IP-address-of-any-node-in-cluster>/api/cluster

Response

The following is a sample response received. For details of the meta object, see Message format.

{
    "items": [
        {
            "key": "configuration_sync",
            "meta": {
                "href": "/api/cluster/configuration_sync"
            }
        },
        {
            "key": "join_request",
            "meta": {
                "href": "/api/cluster/join_request"
            }
        },
        {
            "key": "nodes",
            "meta": {
                "href": "/api/cluster/nodes"
            }
        },
        {
            "key": "promote",
            "meta": {
                "href": "/api/cluster/promote"
            }
        },
        {
            "key": "status",
            "meta": {
                "href": "/api/cluster/status"
            }
        }
    ],
    "meta": {
        "href": "/api/cluster",
        "join_request": "/api/cluster/join_request",
        "nodes": "/api/cluster/nodes",
        "parent": "/api",
        "promote": "/api/cluster/promote",
        "status": "/api/cluster/status",
        "configuration_sync": "/api/cluster/configuration_sync"
    }
}

Promote a Safeguard for Privileged Sessions node to be the Central Management node in a new cluster

You can build a cluster by promoting a Safeguard for Privileged Sessions node to the role of the Central Management node, and then join other nodes to your cluster.

To promote a node to be the Central Management node, complete the following steps:

1. Open a transaction.

   For details, see Open a transaction.

2. Create the Central Management node.

   POST an empty request to the https://<IP-address-of-node-to-become-Central-Management-node>/api/cluster/promote endpoint.

   The following is a sample response received. For details of the meta object, see Message format.

   {
       "body": {
           "address": "<IP-address-of-Central-Management-node>",
           "roles": [
               "central-management"
           ]
       },
       "meta": {
           "href": "/api/cluster/nodes/b35c54da-b556-4f91-ade5-d26283d68277",
           "parent": "/api/cluster/nodes",
           "remaining_seconds": 28800
       }
   }

   Elements		Type	Description
   body		Top-level element (JSON object)	Contains the JSON object of the node.
   	address	string	The IP address of the node.
   	roles	string	The role of the node.

3. Commit your changes.

   For details, see Commit a transaction.

Join node(s) to the cluster

Once you have a Central Management Safeguard for Privileged Sessions node in place, then you can join other nodes to your cluster.

To join nodes to your cluster, complete the following steps for each node that you want to join to the cluster:

1. Open a transaction.

   For details, see Open a transaction.

2. Create a join request.

   POST the IP address of the Central Management node as a JSON object to the https://<IP-address-of-node-to-join-to-cluster>/api/cluster/join_request endpoint. The body of the POST request should be the following:

   {
       "central_management_address": "<IP-address-of-Central-Management-node>"
   }

   For example:

   curl -X POST -H "Content-Type: application/json" --cookie cookies https://<IP-address-of-node-to-join-to-cluster>/api/cluster/join_request --data '{"central_management_address": "<IP-address-of-Central-Management-node>"}'

   The following is a sample response received. For details of the meta object, see Message format.

   By default, no role is assigned to a non-management node, that is why the "roles" array is empty.

   {
       "body": {
           "address": "<IP-address-of-node-joined-to-cluster>",
           "node_id": "46f97a58-4028-467d-9a22-9cfe78ae3e1c",
           "psk": "Ler7HZDFmZCxnLLgHNRfZYfORhlZS99l9vEVr5UKtJEb1d4WeaHcBmQJLs4VDWIn",
           "roles": []
       },
       "meta": {
           "href": "/api/cluster/join_request",
           "parent": "/api/cluster",
           "remaining_seconds": 600
       }
   }

   Elements		Type	Description
   body		Top-level element (JSON object)	Contains the JSON object of the node.
   	address	string	The IP address of the node.
   	node_id	string	A reference ID for the node.
   	psk	string	The pre-shared key of the node used for authentication.
   	roles	string	The role of the node.

3. Join the node to the cluster.

   POST the "body" object of the response to the https://<IP-address-of-Central-Management-node>/api/cluster/nodes endpoint as a JSON object. The body of the POST request should be the following:

   {
       "address": "<IP-address-of-node-joined-to-cluster>",
       "node_id": "46f97a58-4028-467d-9a22-9cfe78ae3e1c",
       "psk": "Ler7HZDFmZCxnLLgHNRfZYfORhlZS99l9vEVr5UKtJEb1d4WeaHcBmQJLs4VDWIn",
       "roles": []
   },

   For example:

   POST -H "Content-Type: application/json" --cookie cookies https://<IP-address-of-Central-Management-node>/api/cluster/nodes --data '{"address": "<IP-address-of-node-joined-to-cluster>", "node_id": "46f97a58-4028-467d-9a22-9cfe78ae3e1c", "psk": "Ler7HZDFmZCxnLLgHNRfZYfORhlZS99l9vEVr5UKtJEb1d4WeaHcBmQJLs4VDWIn","roles": []}'

   If the POST request is successful, the response includes:

   {
       "body": {
           "address": "<IP-address-of-node-joined-to-cluster>",
           "roles": []
       },
       "key": "46f97a58-4028-467d-9a22-9cfe78ae3e1c",
       "meta": {
           "href": "/api/cluster/nodes/46f97a58-4028-467d-9a22-9cfe78ae3e1c",
           "parent": "/api/cluster/nodes",
           "remaining_seconds": 28800
       }
   }

4. Commit your changes on both the Central Management node and the node you joined to the cluster.

   For details, see Commit a transaction.

Query join status

To find out whether a node has been joined to a cluster, complete the following steps.

1. Query the /api/cluster/join_request endpoint on the node whose join status you want to figure out.

   curl GET --cookie cookies https://<IP-address-of-node-to-be-queried>/api/cluster/join_request
   			   

   The following is a sample response received. For details of the meta object, see Message format.

       "details": {
           "central_management_address": "<IP-address-of-Central-Management-node>"
       },
       "meta": {
           "href": "/api/cluster/join_request",
           "parent": "/api/cluster",
           "remaining_seconds": 600
       },
       "status": "in cluster"
   }

   Elements			Type	Description
   details			Top-level element	Contains the IP address of the Central Management node of the cluster.
   	central_management_address		string	The IP address of the Central Management node. Not provided when no cluster has been set up yet.
   status			string	Possible values are: not configured: Displayed when no cluster has been set up yet. in progress: Displayed when the join action is in progress. in cluster: Displayed when the node is already in the cluster.

Assign a role to a node

By default, nodes do not have any roles assigned to them. The only exception is the Central Management node, which you specifically promoted to fulfill that role. To assign a role to a node in the cluster, complete the following steps.

1. Open a transaction.

   For details, see Open a transaction.

2. Update the JSON object of the node.

   PUT the role you want to assign to the node and the node's IP address as a JSON object to the https://<IP-address-of-Central-Management-node>/api/cluster/nodes/<node-id-of-node-to-be-updated> endpoint.

   You can assign the following roles to a node:

   NOTE: The central-management role can only be assigned using the /api/cluster/promote endpoint.

   NOTE: Ensure that each node has a search role and only one search role.

   Role	Description
   managed-host	There can be several nodes with this role. Nodes with the Managed Host role synchronize their entire configuration from the Central Management node, not only those elements of the configuration that are related to the cluster.
   search-master	There can be only one node with this role. The Search Master node is the one node in the cluster on which you can search all the session data recorded by other nodes in the cluster, provided that the other nodes have been assigned the Search Minion role.
   search-minion	There can be several nodes with this role. Nodes with the Search Minion role send session data that they recorded to the Search Master for central search purposes. The session data recorded by a Search Minion node is not searchable on the node itself, only on the Search Master.
   search-local	There can be several nodes with this role. Nodes with the Search Local role keep the session data that they recorded for local searching. The session data recorded by a Search Local node is searchable on the node itself, but not on the Search Master. This is the only backward-compatible search role.

   For further details on roles, see "Cluster roles" in the Administration Guide.

   The body of the PUT request should be the following:

   {
       "roles": ["<role-to-assign>"],
       "address": "<IP-address-of-node-to-be-updated>"
   }

   For example:

   curl -H "Content-Type: application/json" --cookie cookies -X PUT https://<IP-address-of-Central-Management-node>/api/cluster/nodes/46f97a58-4028-467d-9a22-9cfe78ae3e1c --data '{"roles": ["managed-host"], "address": "<IP-address-of-node-to-be-updated>"}'

3. Commit your changes.

   For details, see Commit a transaction.

Query nodes

To list the nodes available in a cluster, complete the following steps.

1. Query the /api/cluster/nodes endpoint on the Central Management node.

   curl --cookie cookies https://<IP-address-of-Central-Management-node>/api/cluster/nodes

   The following is a sample response received. For details of the meta object, see Message format.

   {
       "items": [
           {
               "key": "46f97a58-4028-467d-9a22-9cfe78ae3e1c",
               "meta": {
                   "href": "/api/cluster/nodes/46f97a58-4028-467d-9a22-9cfe78ae3e1c",
                   "status": "/api/cluster/status/46f97a58-4028-467d-9a22-9cfe78ae3e1c"
               }
           },
           {
               "key": "b35c54da-b556-4f91-ade5-d26283d68277",
               "meta": {
                   "href": "/api/cluster/nodes/b35c54da-b556-4f91-ade5-d26283d68277",
                   "status": "/api/cluster/status/b35c54da-b556-4f91-ade5-d26283d68277"
               }
           }
       ],
       "meta": {
           "href": "/api/cluster/nodes",
           "parent": "/api/cluster",
           "remaining_seconds": 28800,
           "self": "/api/cluster/nodes/b35c54da-b556-4f91-ade5-d26283d68277",
           "status": "/api/cluster/status"
       }
   }

   Elements			Type	Description
   items			Top-level element (list of JSON objects)	List of endpoints (objects) available from the current endpoint.
   	key		string	The ID of the node.
   	meta		Top-level item (JSON object)	Contains links to different parts of the REST service.
   		href	string (relative path)	The path of the node that returned the response.
   		status	string (relative path)	The path to the status of the node that returned the response.

Query one particular node

To query one particular node, complete the following steps.

1. Query the /api/cluster/nodes/<node-id-of-node-to-be-queried> endpoint on the node that you want to query.

   curl --cookie cookies https://<IP-address-of-node-to-be-queried>/api/cluster/nodes/<node-id-of-node-to-be-queried>

   The following is a sample response received. For details of the meta object, see Message format.

   {
       "body": {
           "address": "<IP-address-of-node-to-be-queried>",
           "roles": [
               "central-management"
           ]
       },
       "key": "b35c54da-b556-4f91-ade5-d26283d68277",
       "meta": {
           "href": "/api/cluster/nodes/b35c54da-b556-4f91-ade5-d26283d68277",
           "parent": "/api/cluster/nodes",
           "remaining_seconds": 28800,
           "status": "/api/cluster/status/b35c54da-b556-4f91-ade5-d26283d68277"
       }
   }

   Elements		Type	Description
   body		Top-level element (JSON object)	Contains the JSON object of the node.
   	address	string	The IP address of the node.
   	roles	string	The role assigned to the node.
   key		string	The ID of the node.

Query the status of all nodes in the cluster

To query the status of all nodes in your cluster, complete the following steps.

1. Query the /api/cluster/status endpoint on the Central Management node.

   curl --cookie cookies https://<IP-address-of-Central-Management-node>/api/cluster/status

   The following is a sample response received. For details of the meta object, see Message format.

   {
       "items": [
           {
               "fqdn": "psm.example.com",
   	    "key": "b35c54da-b556-4f91-ade5-d26283d68277",
               "meta": {
                   "configuration": "/api/cluster/nodes/b35c54da-b556-4f91-ade5-d26283d68277",
                   "href": "/api/cluster/status/b35c54da-b556-4f91-ade5-d26283d68277"
               }
           },
           {
   	    "fqdn": search-local.cluster,
   	    "key": "46f97a58-4028-467d-9a22-9cfe78ae3e1c",
               "last_seen": "2018-02-08T10:00:30Z",
               "configuration_sync": {
   		"downloaded_xml_hash": "2853830f4aa0a90a63e75bab1b22e513",	
                   "last_updated": "2018-02-08T09:59:04Z",
                   "last_checked": "2018-02-08T09:59:44Z",
                   "issues": {}
                   }
            },
               "meta": {
                   "configuration": "/api/cluster/nodes/46f97a58-4028-467d-9a22-9cfe78ae3e1c",
                   "href": "/api/cluster/status/46f97a58-4028-467d-9a22-9cfe78ae3e1c"
               }
           }
       ],
       "meta": {
           "href": "/api/cluster/status",
           "parent":  "/api/cluster",
           "self": "/api/cluster/status/b35c54da-b556-4f91-ade5-d26283d68277"
       }
   }

   Elements			Type	Description
   items			Top-level element (list of JSON objects)	List of endpoints (objects) available from the current endpoint.
   	fqdn		string	The address of the node as a fully qualified domain name.
   	key		string	The ID of the node.
   	meta		Top-level item (JSON object)	Contains links to different parts of the REST service.
   		configuration	string (relative path)	The path to the configuration of the node that returned the response.
   		href	string (relative path)	The path to the node that returned the response.
   	last_seen		string	The last time the node sent status information to the Central Management node, in ISO 8601 format.
   	configuration_sync		Top-level item (JSON object)
   		downloaded_xml_hash	string	The hash of the latest downloaded configuration file (used for configuration synchronization). If no configuration file has been downloaded yet, it says null.
   		last_updated	string	The last time the node's configuration was synchronized, in ISO 8601 format.
   		last_checked	string	The last time the node attempted to fetch a new configuration, in ISO 8601 format.
   		issues	Top-level item (JSON object)	The issues that occurred during configuration synchronization.

   Elements of issues		Type	Description
   warning		Top-level item (JSON object)
   	message	string	Human-readable text explaining why the warning occurred.
   	details	array	List of additional information about the warning (for example, the path where the warning occurred).
   error		Top-level item (JSON object)
   	type	string	The type of the error.
   	message	string	Human-readable text explaining why the error occurred.
   	details	JSON object	List of additional information about the error (for example, the path where the error occurred).

Query the status of one particular node

To query the status of one particular node in your cluster, complete the following steps.

1. Query the /api/cluster/status/<node-id-of-node-to-be-queried> endpoint on the Central Management node.

   curl --cookie cookies https://<IP-address-of-Central-Management-node>/api/cluster/status/<node-id-of-node-to-be-queried>

   The following is a sample response received. For details of the meta object, see Message format. For details of the other objects, see tables Cluster status details and "issues" object details.

   {
       "fqdn": "search-local.cluster",
       "key": "46f97a58-4028-467d-9a22-9cfe78ae3e1c",
       "configuration_sync": {
   	"downloaded_xml_hash": "2853830f4aa0a90a63e75bab1b22e513",			
           "last_updated": "2018-02-08T09:59:30Z",
           "last_checked": "2018-02-08T09:59:30Z",
           "issues": {}
       },
       "last_seen": "2018-02-08T10:00:00Z",
       "meta": {
           "configuration": "/api/cluster/nodes/46f97a58-4028-467d-9a22-9cfe78ae3e1c",
           "href": "/api/cluster/status/46f97a58-4028-467d-9a22-9cfe78ae3e1c"
       }
   }

Upload and enable a configuration synchronization plugin

Nodes fetch their configuration from the Central Management node, and merge it into their own configuration. Depending on their role, nodes may merge the whole configuration into their own (Managed Host nodes), or only the cluster-specific parts (nodes with no roles assigned). Whenever a configuration change is made on the Central Management node and the change is committed, it is synchronized to all nodes in the cluster as soon as the nodes fetch the latest configuration from the Central Management node.

When synchronizing the central configuration across nodes, you may want to:

• Keep certain parts in the configuration of individual nodes as-is.

• Tailor certain parts of the central configuration to specific needs of individual nodes in the cluster (for example, your nodes may access external services at different network addresses).

You can achieve all of these by using a configuration synchronization plugin that contains transformations for the problematic parts. A One Identity Service Delivery Engineer can help you write customized transformations, contact professionalservices@balabit.com for assistance.

To upload a configuration synchronization plugin to the Central Management node, complete the following steps.

1. Open a transaction.

   For details, see Open a transaction.

2. Upload the plugin file.

   POST the plugin as a zip file (application/zip) to thehttps://<IP-address-of-Central-Management-node>/api/upload/pluginsendpoint, for example:

   curl -X POST -H "Content-Type: application/zip" --cookie cookies https://<IP-address-of-Central-Management-node>/api/upload/plugins --data-binary @<path-to-plugin.zip>

   The following is a sample response received. For details of the meta object, see Message format.

   {
       "body": {
           "api": "1.0",
           "default_configuration": "",
           "description": "Whitelist the list of paths when merging the configuration",
           "name": "whitelist",
           "path": "/opt/scb/var/plugins/configuration_sync/whitelist",
           "scb_max_version": "",
           "scb_min_version": "",
           "version": "1.0"
       },
       "key": "794a5e17-b8be-4426-8596-0dfc129c06ef",
       "meta": {
           "href": "/api/configuration/plugins/configuration_sync/794a5e17-b8be-4426-8596-0dfc129c06ef",
           "parent": "/api/configuration/plugins/configuration_sync",
           "remaining_seconds": 599
       }
   }

   Elements		Type	Description
   body		Top-level element (JSON object)
   	api	string	Always "1.0".
   	default_configuration	string	Contains the default configuration of the plugin if there is one.
   	description	string	The description of what the plugin does.
   	name	string	The name of the plugin.
   	path	string	The path to the plugin.
   	scb_max_version	string	The plugin is compatible with Safeguard for Privileged Sessions versions not later than this one.
   	scb_min_version	string	The plugin is compatible with Safeguard for Privileged Sessions versions not earlier than this one.
   	version	string	The version number of the plugin.
   key		string	The ID of the plugin.

3. To enable the plugin, replace /api/cluster/configuration_sync_plugin with:

   {
       "enabled": true,
       "plugin": "<'key' from-response-of-last-creation>",
       "configuration": ""
   }

   For example:

   curl -X POST -H "Content-Type: application/json" --cookie cookies https://<IP-address-of-Central-Management-node>/api/cluster/configuration_sync_plugin --data '{"enabled": true, "plugin": "794a5e17-b8be-4426-8596-0dfc129c06ef", "configuration": ""}'

   The following is a sample response received:

   {
       "plugin": {
           "key": "794a5e17-b8be-4426-8596-0dfc129c06ef",
           "meta": {
               "href": "/api/configuration/plugins/configuration_sync/794a5e17-b8be-4426-8596-0dfc129c06ef"
           }
       }
   }

4. Commit your changes.

   For details, see Commit a transaction.

Disable a configuration synchronization plugin

To disable a configuration synchronization plugin on the Central Management node, complete the following steps.

1. Open a transaction.

   For details, see Open a transaction.

2. To disable the plugin, replace /api/cluster/configuration_sync_plugin with:

   {
       "enabled": false
   }

   For example:

   curl -X POST -H "Content-Type: application/json" --cookie cookies https://<IP-address-of-Central-Management-node>/api/cluster/configuration_sync_plugin --data '{"enabled": false}'

   The following is a sample response received:

   {
       "plugin": {
           "key": null,
           "meta": {}
       }
   }

3. Commit your changes.

   For details, see Commit a transaction.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.