One Identity Safeguard for Privileged Sessions 5.7.0

Message format How to configure Safeguard for Privileged Sessions using REST How to configure Safeguard for Privileged Sessions using REST: a sample transaction

Using the Safeguard for Privileged Sessions REST API

Authenticate to the Safeguard for Privileged Sessions REST API Authenticate to the Safeguard for Privileged Sessions REST API using X.509 certificate Retrieve user information Checking the transaction status Open a transaction Commit a transaction Delete a transaction Reviewing the changelog of a transaction Application level error codes Navigating the configuration of Safeguard for Privileged Sessions Headers

Basic settings

Retrieve basic firmware and host information Network settings

Web interface Network configuration options DNS servers Routing between interfaces Naming options Network addresses Routing table Local services of Safeguard for Privileged Sessions Local services: Web login for administrators Local services: Web login for users

Date and time

Date & time NTP servers Timezone

Logs, monitoring and alerts

Management options Syslog server settings Disk fill-up prevention Mail settings Health monitoring SNMP settings SNMP traps Local services: access for SNMP agents Alerting System alerts Traffic alerts

User management and access control

User management and access control Authentication and user database settings Privileges of usergroups Manage users and usergroups locally on Safeguard for Privileged Sessions Manage usergroups locally on Safeguard for Privileged Sessions Manage users locally on Safeguard for Privileged Sessions

Managing Safeguard for Privileged Sessions

Troubleshooting options Internal certificates Headers Headers Headers Local services: enabling SSH access to the Safeguard for Privileged Sessions host RPC API Manage the Safeguard for Privileged Sessions license Change contact information Splunk integration Manage Safeguard for Privileged Sessions clusters

General connection settings

Channel policy Policies Audit policies Real-time content monitoring with Content Policies LDAP servers Signing CA policies Time policy Trusted Certificate Authorities Local user databases User lists

HTTP connections

HTTP connections HTTP connection policies Global HTTP options HTTP settings policies

Citrix ICA connections

ICA connections ICA connection policies Global ICA options ICA settings policies

RDP connections

RDP connections Status and error codes RDP channels Configuring domain membership Global RDP options RDP settings policies

SSH connections

SSH connections Status and error codes SSH channels SSH authentication policies Global SSH options SSH settings policies SSH host keys and certificates

Telnet connections

Telnet connections Telnet connection policies Global Telnet options

VNC connections

VNC connections VNC connection policies Global VNC options

Search, download, and index sessions

Audited sessions Download audit trails Searching in the session database Searching in connection content Session statistics Session histogram Session alerts Session events Local services: configuring the indexer Indexer policies

Reporting

Reporting Reports Built-in subchapters Pre-defined reports Content subchapters Custom subchapters Connection statistics subchapters

Advanced authentication and authorization

Usermapping policy Upload a plugin Authentication and authorization plugins Credential store plugins Credential stores Ticketing policies Ticketing plugins

Completing the Welcome Wizard using REST

Enable and configure analytics using REST

Enable One Identity Safeguard for Privileged Analytics Configure One Identity Safeguard for Privileged Analytics

About us Third-party contributions

VNC connections

VNC connections > VNC connections

List of endpoints for configuring the policies, options and connection rules of VNC connections.

URL

GET https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/vnc

Headers

Header name	Description	Required	Values
session_id	Contains the authentication token of the user	Required	The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the Safeguard for Privileged Sessions REST API. Note that this session ID refers to the connection between the REST client and the Safeguard for Privileged Sessions REST API. It is not related to the sessions that Safeguard for Privileged Sessions records (and which also have a session ID, but in a different format).

Header name

Description

Required

Values

session_id

Contains the authentication token of the user

Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the Safeguard for Privileged Sessions REST API.

Note that this session ID refers to the connection between the REST client and the Safeguard for Privileged Sessions REST API. It is not related to the sessions that Safeguard for Privileged Sessions records (and which also have a session ID, but in a different format).

Sample request

The following command lists the available settings for configuring for VNC connections.

curl --cookie cookies https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/vnc

Response

The following is a sample response received when listing the configuration settings. For details of the meta object, see Introduction.

{
  "items": [
    {
      "key": "channel_policies",
      "meta": {
        "href": "/api/configuration/vnc/channel_policies"
      }
    },
    {
      "key": "options",
      "meta": {
        "href": "/api/configuration/vnc/options"
      }
    }
  ],
  "meta": {
    "first": "/api/configuration/aaa",
    "href": "/api/configuration/vnc",
    "last": "/api/configuration/x509",
    "next": "/api/configuration/x509",
    "parent": "/api/configuration",
    "previous": "/api/configuration/troubleshooting",
    "transaction": "/api/transaction"
  }
}

Item	Description
channel_policies	List of the default and custom channel policies.
options	List of global VNC options that affect all connections.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Using the Safeguard for Privileged Sessions REST API.

Code	Description	Notes
401	Unauthenticated	The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
401	AuthenticationFailure	Authenticating the user with the given credentials has failed.
404	NotFound	The requested object does not exist.

VNC connection policies

VNC connections > VNC connection policies

Connection policies determine if a server can be accessed from a particular client. Connection policies reference other resources (policies, usergroups, keys) that must be configured and available before creating a connection policy.

Caution:

The connection policies of this protocol are available in READ-ONLY mode on the REST API. Also, the returned data is incomplete, it does not include any protocol-specific settings, only the parameters that are common to every supported protocol.

To modify the connection policies of this protocol, you must use the Safeguard for Privileged Sessions web interface.

Using the REST API, you can modify the connection policies of the RDP and SSH protocols.

URL

GET https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/vnc/connections/

Headers

Header name	Description	Required	Values
session_id	Contains the authentication token of the user	Required	The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the Safeguard for Privileged Sessions REST API. Note that this session ID refers to the connection between the REST client and the Safeguard for Privileged Sessions REST API. It is not related to the sessions that Safeguard for Privileged Sessions records (and which also have a session ID, but in a different format).

Header name

Description

Required

Values

session_id

Contains the authentication token of the user

Required

Sample request

The following command lists VNC connection policies.

curl --cookie cookies https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/vnc/connections/

The following command retrieves the properties of a specific policy.

curl --cookie cookies https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/vnc/connections/<connection-key>

Global VNC options

VNC connections > Global VNC options

List of options that affect all VNC connections.

URL

GET https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/vnc/options

Headers

Header name	Description	Required	Values
session_id	Contains the authentication token of the user	Required	The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the Safeguard for Privileged Sessions REST API. Note that this session ID refers to the connection between the REST client and the Safeguard for Privileged Sessions REST API. It is not related to the sessions that Safeguard for Privileged Sessions records (and which also have a session ID, but in a different format).

Header name

Description

Required

Values

session_id

Contains the authentication token of the user

Required

Sample request

The following command lists global VNC options.

curl --cookie cookies https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/vnc/options

Response

The following is a sample response received when listing global VNC options. For details of the meta object, see Introduction.

{
  "body": {
    "audit": {
      "cleanup": {
        "enabled": false
      },
      "timestamping": {
        "selection": "local",
        "signing_interval": 30
      }
    },
    "service": {
      "enabled": true,
      "log_level": 4
    }
  },
  "key": "options",
  "meta": {
    "first": "/api/configuration/vnc/channel_policies",
    "href": "/api/configuration/vnc/options",
    "last": "/api/configuration/vnc/options",
    "next": null,
    "parent": "/api/configuration/vnc",
    "previous": "/api/configuration/vnc/channel_policies",
    "transaction": "/api/transaction"
  }
}

Element			Type	Description
key			Top level item	Contains the ID of the endpoint.
body			Top level item	Contains the elements of the global VNC options.
	audit		Top level item	Contains settings for timestamping and cleanup.
	service		Top level item	Global setting to enable VNC connections, and specify the logging detail.
		enabled	boolean	Set to true to enable VNC connections.
		log_level	int	Defines the logging detail of VNC connections.

Elements of audit			Type	Description
cleanup			Top level item	Global retention settings for VNC connection metadata. To configure retention time for a specific connection policy, use the archive_cleanup_policy element at the endpoint of the policy instead.
	channel_database_cleanup_days		int	Global retention time for the metadata of VNC connections, in days. Must exceed the retention time of the archiving policy (or policies) used for VNC connections, and the connection-specific database cleanup times (if configured).
	enabled		boolean	To enable the global cleanup of VNC connection metadata, set this element to true.
timestamping			Top level item	Global timestamping settings for VNC connections.
	selection		string	Configures local or remote timestamping. Set local to use Safeguard for Privileged Sessions for timestamping. Set remote to configure a remote timestamping server.
	server_url		string	Required for remote timestamping. The URL of the timestamping server. Note that HTTPS and password-protected connections are not supported.
	oid		Top level item	The Object Identifier of the policy used for timestamping.
		enabled	boolean	Required for remote timestamping. Set to true to configure the Object Identifier of the timestamping policy on the timestamping remote server.
		policy_oid	string	Required if the oid is enabled. The Object Identifier of the timestamping policy on the remote timestamping server.
	signing_interval		int	Time interval for timestamping open connections, in seconds.

Examples:

Set Safeguard for Privileged Sessions as the timestamping server:

{
  "audit": {
    "cleanup": {
      "enabled": false
    },
    "timestamping": {
      "selection": "local",
      "signing_interval": 30
    }
  },
  "service": {
    "enabled": true,
    "log_level": 4
  }
}

Enable cleanup, and set it to occur every 10 days:

{
  "audit": {
    "cleanup": {
      "channel_database_cleanup_days": 10,
      "enabled": true
    },
    "timestamping": {
      "selection": "local",
      "signing_interval": 30
    }
  },
  "service": {
    "enabled": true,
    "log_level": 4
  }
}

Change timestamping to a remote server, without specifying a timestamping policy:

{
  "audit": {
    "cleanup": {
      "channel_database_cleanup_days": 10,
      "enabled": true
    },
    "timestamping": {
        "oid": {
          "enabled": false
        },
        "selection": "remote",
        "server_url": "<url-of-timestamping-server>",
        "signing_interval": 30
      }
  },
  "service": {
    "enabled": true,
    "log_level": 4
  }
}

Change timestamping to a remote server, and specify the 1.2.3 timestamping policy:

{
  "audit": {
    "cleanup": {
      "channel_database_cleanup_days": 10,
      "enabled": true
    },
    "timestamping": {
        "oid": {
          "enabled": true,
          "policy_oid": "1.2.3"
        },
        "selection": "remote",
        "server_url": "<url-of-timestamping-server>",
        "signing_interval": 30
      }
  },
  "service": {
    "enabled": true,
    "log_level": 4
  }
}

Modify global VNC settings

To modify global VNC settings, you have to:

Open a transaction.

For details, see Open a transaction.
Modify the JSON object of the global VNC settings endpoint.

PUT the modified JSON object to the https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/vnc/options endpoint. You can find a detailed description of the available parameters listed in Global VNC options. The elements of the audit item are described in Global VNC options.
Commit your changes.

For details, see Commit a transaction.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Using the Safeguard for Privileged Sessions REST API.

Code	Description	Notes
201	Created	The new resource was successfully created.
401	Unauthenticated	The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
401	AuthenticationFailure	Authenticating the user with the given credentials has failed.
404	NotFound	The requested object does not exist.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

One Identity Safeguard for Privileged Sessions 5.7.0 - REST API Reference Guide

VNC connections

VNC connections

URL

Headers

Sample request

Response

Status and error codes

VNC connection policies

URL

Headers

Sample request

Global VNC options

URL

Headers

Sample request

Response

Examples:

Modify global VNC settings

Open a transaction.

Modify the JSON object of the global VNC settings endpoint.

Commit your changes.

Status and error codes