Starting with One Identity Safeguard for Privileged Sessions (SPS) version 4 F2, certain parts and features of SPS can be configured using a REST API (Representational State Transfer Application Programming Interface). The REST server conforms to the Hypermedia as the Engine of Application State (HATEOAS).
The SPS REST API uses JSON over HTTPS. The REST server has a single entry point and all resources are available at paths (URLs) returned in the response for a request sent to the entry point. The only path that is guaranteed not to change is /api/authentication. Every other path should be reached by navigating the links returned.
The SPS REST API allows you to create, read, update and delete (CRUD) the configuration resources of SPS.
The user accessing the SPS REST API must have the REST server privilege. For details, see "Modifying group privileges" in the Administration Guide. Note that the built-in api usergroup does not have this privilege by default, it is used to access the SOAP RPC API of SPS.
For details on using the REST API, see REST API Reference Guide.
This section discusses common scenarios for One Identity Safeguard for Privileged Sessions (SPS).
If a protected server requires public-key authentication from the users, complete one of the following procedures.
In Configuring public-key authentication using local keys, One Identity Safeguard for Privileged Sessions (SPS) stores the public keys of the users and the private-public keypair used in the server-side connection locally on SPS.
In Configuring public-key authentication using an LDAP server and a fixed key, SPS receives the public keys of the users from an LDAP server and uses a locally-stored private-public keypair in the server-side connection.
In Configuring public-key authentication using an LDAP server and generated keys, SPS receives the public keys of the users from an LDAP server. SPS generates a keypair that is used in the server-side connection on-the-fly, then uploads the public key of this pair to the LDAP database. That way the server can authenticate SPS to the (newly generated) public key of the user.
The following describes how to store the public keys of the users and the private-public keypair used in the server-side connection locally on One Identity Safeguard for Privileged Sessions (SPS).
To configure public-key authentication using local keys
Navigate to Policies > Local User Databases and create a Local User Database. Add the users and their public keys to the database. SPS will authenticate the clients to this database. For details on creating and maintaining local user databases, see Creating a Local User Database.
Navigate to Policies > Credential Stores and create a Local Credential Store. Add hostnames and the users to the database. SPS will use these credentials to authenticate on the target server. For details on creating local credential stores, see Configuring local Credential Stores.
Navigate to SSH Control > Authentication Policies and create a new Authentication Policy.
Select Authenticate the client to SPS using > Local > Public key, clear all other options.
Select the appropriate usergroup from the Local User Database field. SPS will authenticate the users to this local database.
Select Relayed authentication methods > Public key > Fix, clear all other options.
Click > Generate. This will generate a private key that is needed only for the configuration, it will not be used in any connection.
The Connection Policy will ignore the settings for server-side authentication (set under Relayed authentication methods) if a Credential Store is used in the Connection Policy.
Navigate to SSH Control > Connections and create a new Connection.
Enter the IP addresses of the clients and the servers into the From and To fields.
Select the authentication policy created in Step 1 in the Authentication Policy field.
Configure the other options of the connection as necessary.
To test the above settings, initiate a connection from the client machine to the server.