Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.2.1 - REST API Reference Guide

Introduction Using the SPS REST API Basic settings User management and access control Managing SPS General connection settings HTTP connections Citrix ICA connections MSSQL connections RDP connections SSH connections Telnet connections VNC connections Search, retrieve, download, and index sessions Reporting Health and maintenance Advanced authentication and authorization Completing the Welcome Wizard using REST Enable and configure analytics using REST REST API examples

Traffic alerts

Configuration options for sending traffic-related alerts.

E-mail alerts, when enabled, are sent to the e-mail address configured in the alerting_address element of the /api/configuration/management/email endoint.

SNMP alerts, when enabled, are sent to the SNMP server configured at the /api/configuration/management/snmp/trap endpoint.

URL
GET https://<IP-address-of-SPS>/api/configuration/alerting/traffic_alerts
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Sample request

The following command lists the configuration options for traffic-related alerts..

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/alerting/traffic_alerts
Response

The following is a sample response received when listing the configuration options for traffic-related alerts.

For more information on the meta object, see Message format.

{
  "body": {
    "scbAuthFailure": {
      "email": false,
      "snmp": false
    },
    "scbAuthSuccess": {
      "email": false,
      "snmp": false
    },
    "scbChannelDenied": {
      "email": false,
      "snmp": false
    },
    "scbConnectionDenied": {
      "email": false,
      "snmp": false
    },
    "scbConnectionFailed": {
      "email": false,
      "snmp": false
    },
    "scbConnectionTimedout": {
      "email": false,
      "snmp": false
    },
    "scbCredStoreClosed": {
      "email": false,
      "snmp": false
    },
    "scbCredStoreDecryptError": {
      "email": false,
      "snmp": false
    },
    "scbCredStoreUnlockFailure": {
      "email": false,
      "snmp": false
    },
    "scbGWAuthFailure": {
      "email": false,
      "snmp": false
    },
    "scbGWAuthSuccess": {
      "email": false,
      "snmp": false
    },
    "scbProtocolViolation": {
      "email": false,
      "snmp": false
    },
    "scbRealTimeAlert": {
      "email": false,
      "snmp": false
    },
    "scbSshHostKeyLearned": {
      "email": false,
      "snmp": false
    },
    "scbSshHostKeyMismatch": {
      "email": false,
      "snmp": false
    },
    "scbUserMappingFailure": {
      "email": false,
      "snmp": false
    }
  },
  "key": "traffic_alerts",
  "meta": {
    "first": "/api/configuration/alerting/system_alerts",
    "href": "/api/configuration/alerting/traffic_alerts",
    "last": "/api/configuration/alerting/traffic_alerts",
    "next": null,
    "parent": "/api/configuration/alerting",
    "previous": "/api/configuration/alerting/system_alerts",
    "transaction": "/api/transaction"
  }
}
Element Type Description
key string Top level element, contains the ID of the endpoint.
body Top level element (string) Contains the configuration options for traffic-related alerts.
scbAuthFailure Top level item User authentication failed.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbAuthSuccess Top level item Successful user authentication.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbChannelDenied Top level item Channel opening denied.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbConnectionDenied Top level item Connection denied.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbConnectionFailed Top level item Connection to the server failed.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbConnectionTimedout Top level item Connection timed out.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbCredStoreClosed Top level item The requested credential store is closed.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbCredStoreDecryptError Top level item Failure to decrypt a credential.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbCredStoreUnlockFailure Top level item Failure to unlock the credential store.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbGWAuthFailure Top level item The user failed to authenticate on the gateway.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbGWAuthSuccess Top level item Successful authentication on the gateway.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbProtocolViolation Top level item Protocol violation.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbRealTimeAlert Top level item Real-time audit event detected.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbSshHostKeyLearned Top level item New SSH host key learned.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbSshHostKeyMismatch Top level item SSH host key mismatch.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
scbUserMappingFailure Top level item User mapping failed on the gateway.
email boolean Set to true to enable e-mail alerts.
snmp boolean Set to true to enable SNMP alerts.
Modify a traffic-related alert

To enable or disable an alert, you have to:

  1. Open a transaction

    For more information, see Open a transaction.

  2. Modify the JSON object of the endpoint.

    PUT the modified JSON object to the https://<IP-address-of-SPS>/api/configuration/alerting/traffic_alerts endpoint. You can find a detailed description of the available parameters listed in Element .

  3. Commit your changes

    For more information, see Commit a transaction.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
201 Created The new resource was successfully created.
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
404 NotFound The requested object does not exist.

Trust stores

Trust stores serve as local certificate storages where users can store the certificate chains of trusted Certificate Authorities (CAs). These certificates are then used to ensure secure communication between external parties and the SPS.

There are two types of trust stores: built-in and custom.

The built-in trust store has well known root CAs (such as Google, Microsoft, Verisign, etc.), and it is not modifiable.

Before establishing secure communication (TLS), SPS verifies the certificate of the other party using the assigned trust store. Only certificates signed by any of the CAs in the trust store are accepted.

NOTE: CRL URLs must be listed explicitly in the appropriate field, as those CRL URLs that are embedded in the extensions of the certificates, will be ignored.

URL
GET https://<IP-address-of-SPS>/api/configuration/trust_stores
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Operations with the trust_stores endpoint include:

Operation

 

HTTP method

URL

Notes
Create a trust store POST /api/configuration/trust_stores The name of the trust store must be unique.
List trust stores GET /api/configuration/trust_stores

Users who were not given read access to the trust_stores endpoint explicitly, are still able to retrieve information from it, if they have access to other /configuration related endpoints, which reference trust stores.

Examples of trust store referrer ACL (read access):

  • /pages/starlingjoin
  • /config/xcb/aaa/settings
  • /config/scb/pol_ldaps

Query a trust store GET /api/configuration/trust_stores/<id of the trust store>  
Query the built-in trust store GET /api/configuration/trust_stores/-7001  
Update a trust store PUT /api/configuration/trust_stores/<id of the trust store>

Users who were not given access to the trust_stores endpoint explicitly, but are still able to retrieve information from it because they have access to configuration endpoints which reference trust stores, are unable to modify trust stores.

With the exception of /config/xcb/management, where the same access level is granted to the trust stores for the user as they have for /config/xcb/management.

Delete a trust store DELETE /api/configuration/trust_stores/<id of the trust store>  
Sample request

The following command lists the trust stores:

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/trust_stores
Response

The following is a sample response received when listing trust stores.

For more information on the meta object, see Message format.

 

{ "items": [ { "key": "-7001", "meta": { "href": "/api/configuration/trust_stores/-7001" }, "body": { "name": "Built-in", "revocation_check": "none", "trust_store_type": "built-in" } }, { "key": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "meta": { "href": "/api/configuration/trust_stores/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" }, "body": { "name": "My_Custom_Trust_Store", "authorities": [ { "fingerprint": { "digest": "01:25:1f:a2:df:2a:31:1a:29:7a:ba:43:c4:03:42:a5:d7:30:ec:2d:e0:d7:7a:72:a7:1b:c3:99:c5:6c:10:ea", "hash_algorithm": "sha256" }, "issuer": "C=HU/ST=Budapest/L=None/O=Internet Widgits Pty Ltd/OU=None/CN=None/emailAddress=None", "pem": "-----BEGIN CERTIFICATE-----\nMIIDZzCCAk+gAwIBAgIUMlI5+EgTDAh2zqRDGYrzFRyozI8wDQYJKoZIhvcNAQEL\nBQAwQzELMAkGA1UEBhMCSFUxETAPBgNVBAgMCEJ1ZGFwZXN0MSEwHwYDVQQKDBhJ\nbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODEyMTIzNjQ4WhcNMzQwNjE4\nMTIzNjQ4WjBDMQswCQYDVQQGEwJIVTERMA8GA1UECAwIQnVkYXBlc3QxITAfBgNV\nBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBALffJBDD6A/ZGBTgFbyLXHulU+hGnMW3DoPo2q4HY1/FfbkS\nrzmK+Fiz+3EwJCWi+EwK9mqve/nh6YRRw/VaAVQ7CkA7f7to+I7gP647Bq1wk0lh\nBVEJNlN0jfYYSumGxzPotw/fon1MkXuMbLc0Pr/vFX3NQC7/STAV5dZFcdboXDA7\nZZ3rzBIr93ThObsGj01MRO6wrS3rfE7Px9D7C2u9YSkP3OQ1Sfm/jqyLNaT6xt4i\nhrLnfYEc8mClnrlvILi+q/D6mIUSjb4IGvergAyl4jgPjO02UcvBzOIA9tDlBJBi\nQxZx+T620ubmEwOl9Q0G8RAWKz7szrBcXEjXhYUCAwEAAaNTMFEwHQYDVR0OBBYE\nFCDfEeq5Hsm8jMrG110iNpt5cikTMB8GA1UdIwQYMBaAFCDfEeq5Hsm8jMrG110i\nNpt5cikTMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAK3iizM4\nCx69YD+4CWOUswULrCJA38C+nDYONLbNkact8JKXqCn/MaZTII+dZoV9RjjX4AzA\nPTQkZT+RoVeCZyt+qWHMdjq6koabXwQmXNozUtaxEZTrnoUDEWtNIbjV/gNtRcSG\nsU7i9L2YnwDzTw0cR/pu1Hykq8fwqNqjQGYnmXtJspMkKAtVe1CrtnPLiC6JBr0g\n5GZF58sHx5+gO0RkqdzJgRAGnImdfAahqfHmKRFmxoxWLyylRyqDgQ+KqcaDvZI+\ni36M+NQHVrDX4jo4CFoXhFlSOepvtDOpmzoWhugwDNMPuU1IEY7//CJBXQnjp+uf\nLO6PsNmMKDGi9Dk=\n-----END CERTIFICATE-----\n", "subject": "C=HU/ST=Budapest/L=None/O=Internet Widgits Pty Ltd/OU=None/CN=None/emailAddress=None" } ], "crl_urls": [ "http://crl.it/sec" ], "revocation_check": "full", "trust_store_type": "custom" } } ] }

Elements of the response message body include:

Elements of items

 

Type

Description

Notes
items

 

object array

List of JSON objects available from the current endpoint.

 
 

key

string

The ID of the trust store.

Each trust store has a unique key.

The built-in trust store's ID is "-7001".

 

meta

string (uri)

The href field contains the URL of the trust store.

 
 

body

     
Elements of body

 

Type

Description

Notes
body

 

object Top level element.  
 

name

string The name of the trust store.

The name field is set by the user and it must be unique.

For example:

"name": "My_Custom_Trust_Store".

The built-in trust store's name is "Built-in".

 

authorities

 

     
 

crl_urls

string array The crl_urls field contains the list of CRL web addresses (HTTP or HTTPs URLs) used for revocation check.

If a trust store that uses certificate revocation lists (CRLs) does not work properly, it might be due to invalid or inaccessible CRL URLs. Troubleshooting can involve checking whether all URLs of the CA CRL URL list are valid, and can be accessed from the SPS via the Basic Settings / Troubleshooting / Connect to TCP port function in the Web UI.

 

revocation_check

enum

The type of the revocation check.

Possible values: "full", "leaf", "none".

"full" - The crl_urls field must contain CRL URLs for all of the CAs that are part of the chain of a given certificate which is being verified.

"leaf" - The crl_urls field must contain at least the CRL URL of the CA which signed the certificate which is being validated.

"none" - The crl_urls field must be empty.

 

trust_store_type

enum

The type of the trust store.

Possible values: "built-in", "custom".

The built-in trust store comes with the operation system. This type of trust store is read-only. There is no CRL check involved, and it cannot be removed.

Elements of authorities

 

Type

Description

Notes
authorities

 

array List of Certificate Authorities.  
 

fingerprint

     
 

issuer

 

string The name of the entity that signed the certificate.  
 

pem

string The certificate in PEM format.  

 

subject

string

The subject of the certificate.

 

Elements of fingerprint

 

Type

Description

Notes
fingerprint

 

  A two-piece byte sequence consisting of a hash algorithm and a message digest.  
 

digest

string The string of digits produced by the hash algorithm.  
 

hash_algorithm

 

string The name of the hash algorithm.  
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
400 SyntacticError

A value to be set is not accepted syntactically. The details section contains the path that was found to be invalid.

Possible syntactic error messages related to trust store:

  • The user is not allowed to create a built-in trust store or edit or delete the existing one.
  • When revocation_check is set to "none", the crl_urls field must be empty. The user cannot add any element to crl_urls.
  • When revocation_check is set to "full" or "leaf", the crl_urls cannot be empty.

400 SemanticError

The configuration contains semantic errors, inconsistencies or other problems that would put the system into an unreliable state if the configuration had been applied. The details section contains the errors that were found in the configuration.

Possible semantic error messages related to trust store:

  • The name of the trust stores must be unique.
  • The authorities of a trust store must be unique.
  • The CRL URLs of a trust store must be unique.

401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.

Enabling One Identity Safeguard Remote Access without Starling Join

Enable the One Identity Safeguard Remote Access (SRA) feature of One Identity Starling without Starling Join information.

NOTE: You cannot configure Starling Join through the resource configuration endpoint (/api/configuration/starling), only through the dedicated /starling/join endpoint.

URL
GET https://<IP-address-of-SPS>/api/configuration/starling
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Operations

Operations with the /starling endpoint include:

Operation HTTP method URL

Notes

Query One Identity Starling Join without a join to One Identity Starling GET /api/configuration/starling

The value of the join_info field is null.

Query One Identity Starling Join after join GET /api/configuration/starling

The values of the join_info field are environment, product_instance, and product_tims.

Enable SRA PUT /api/configuration/starling

SRA can be enabled only if the node is joined to One Identity Starling. Use the starling/join endpoint to join to One Identity Starling.

Disable SRA PUT /api/configuration/starling

To disable SRA to One Identity Starling, the enabled field must be set to false.

Enable SRA

To enable SRA with the use of the /starling endpoint, you have to:

  1. Open a transaction

    For more information, see Open a transaction.

  2. Set the enabled parameter of remote_access to true.

    Sample request

    The following command enables SRA to join to One Identity Starling.

    curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/starling
    {
       "join_info": {
         "environment": "prod",
         "product_instance": "starling-joiner-11111111-1111-1111-1111-111111111111",
         "product_tims": "123-456-789"
       },
       "remote_access":
       {
         "enabled": true
       }
    }
    				

    Elements of the request message body include:

    Elements Type Description

    Notes

    join_info object
    join_info.environment string

    The environment of the product.

    Possible values: prod.

    join_info.product_instance string

    The instance of the product.

    join_info.product_tims string

    The TIMS license of the product.

    remote_access  

    To disable SRA to One Identity Starling, the enabled field must be set to false.

    remote_access.enabled boolean

    Enables or disables SRA to One Identity Starling.

    Possible values: true, false

    key Possible values: starling
  3. Commit your changes

    For more information, see Commit a transaction.

Response

The response is a regular meta object.

For more information on the meta object, see Message format.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Endpoint-specific HTTP response codes for this request:

HTTP response code Status / Error Description
403 RemoteAccessDependsOnStarlingJoinError SRA to One Identity Starling can only be enabled, if the node is joined to One Identity Starling. Use the /starling/join endpoint to join to One Identity Starling.
403 StarlingJoinInfoIsReadOnlyError You cannot join or unjoin from One Identity Starling at the resource configuration endpoint (/api/configuration/starling), as the One Identity Starling join_info field is read-only. Use the /starling/join endpoint to join or unjoin from One Identity Starling.

Standard HTTP response codes for this request:

Managing Starling Join

NOTE: You cannot manage Starling Join through the resource configuration endpoint (/api/configuration/starling), only through the dedicated /starling/join endpoint.

Retrieving One Identity Starling Join information

Check whether your SPS appliance is joined to the One Identity Starling platform.

If you are interested which One Identity Starling services are available to you, you can list them at the Retrieving the status of services related to Starling Join/Unjoin endpoint.

URL
GET https://<IP-address-of-SPS>/api/starling/join
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Operations

HTTP GET operations with the /starling/join endpoint include:

Operation HTTP method URL

Notes

Querying Starling Join endpoint from a browser without TIMS

GET

 

 

 

/api/starling/join

 

 

 

Headers to be used: Accept: text/html.

 

 

 

Querying Starling Join endpoint when joined from a browser without TIMS

Querying Starling Join info without TIMS

Querying Starling Join info when joined without TIMS

Querying Starling Join endpoint from a browser with TIMS

GET

 

 

 

/api/starling/join?product_tims=<TIMS value>

 

 

 

Example of TIMS value: product_tims=222-333-444 .

 

 

 

Querying Starling Join endpoint when joined from a browser with TIMS

Querying Starling Join info with TIMS

Querying Starling Join info when joined with TIMS

Sample request

The following command queries the /starling/join endpoint when joined from a browser without TIMS.

curl --cookie cookies https://<IP-address-of-SPS>/api/starling/join
Response

The following is a sample response.

For more information on the meta object, see Message format.

{
   "body":
   {
     "joined": true,
     "product_instance": "starling-joiner-11111111-1111-1111-1111-111111111111",
     "product_name": "Safeguard",
     "product_tims": "123-456-789"
   }
}
		

Elements of the response message body include:

Elements Type Description

Notes

joined boolean

Displays whether or not the user is joined to One Identity Starling or unjoined from it.

product_instance string

The instance of the product.

product_name string

The name of the product.

product_tims string The TIMS license of the product.

NOTE: While it is possible to send a POST HTTP request to the /starling/join endpoint, if you want to join your SPS appliance to One Identity Starling, visit the SPS web interface and initiate the join process under Basic Settings > Starling Integration > Start join.

Unjoining SPS from One Identity Starling

Use the /starling/join endpoint to unjoin your SPS appliance from One Identity Starling.

URL
DELETE https://<IP-address-of-SPS>/api/starling/join
Operations

HTTP DELETE operations with the /starling/join endpoint include:

Operation HTTP method URL

Notes

Unjoining One Identity Starling

DELETE

/api/starling/join

Unjoining One Identity Starling in a regular way is not possible while One Identity Safeguard Remote Access (SRA) is enabled. To unjoin One Identity Starling, first you must disable SRA.

Force unjoining One Identity Starling

DELETE

/api/starling/join?force=true

The Force Unjoin functionality works even when SRA is enabled.

HTTP response codes

HTTP response codes comprise of standard or endpoint-specific HTTP status and error codes. The following table lists the endpoint-specific HTTP response codes for this request.

HTTP response code Status / Error Description

400

MissingCredentialStringError

The mandatory credential_string parameter is not specified for One Identity Starling Join.

400

MissingProductInstanceError

The mandatory product_instance parameter is not specified for One Identity Starling Join.

403

OpenTransactionError

The attempt to join to One Identity Starling was unsuccessful, as the transaction was still open. To join to One Identity Starling, you must first close the previous transaction.

403

ForbiddenActionError

Forbidden action. To unjoin from One Identity Starling, use the /starling/join endpoint.

403

StarlingJoinIsInUseByRemoteAccessError

Unjoining One Identity Starling is not allowed while One Identity Safeguard Remote Access (SRA) is in use. Disable SRA in the configuration before unjoining from One Identity Starling.

For more information and a list of standard HTTP response codes, see Application level error codes.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating