Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 8.0 LTS - REST API Reference Guide

Introduction Using the SPS REST API Basic settings User management and access control Managing SPS General connection settings HTTP connections Citrix ICA connections MSSQL connections RDP connections SSH connections Telnet connections VNC connections Search, retrieve, download, and index sessions Reporting Health and maintenance Advanced authentication and authorization Completing the Welcome Wizard using REST Enable and configure analytics using REST REST API examples

Trust stores

Trust stores serve as local certificate storages where users can store the certificate chains of trusted Certificate Authorities (CAs). These certificates are then used to ensure secure communication between external parties and the SPS.

There are two types of trust stores: built-in and custom.

The built-in trust store has well known root CAs (such as Google, Microsoft, Verisign, etc.), and it is not modifiable.

Before establishing secure communication (TLS), SPS verifies the certificate of the other party using the assigned trust store. Only certificates signed by any of the CAs in the trust store are accepted.

NOTE: CRL URLs must be listed explicitly in the appropriate field, as those CRL URLs that are embedded in the extensions of the certificates, will be ignored.

URL
GET https://<IP-address-of-SPS>/api/configuration/trust_stores
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Operations with the trust_stores endpoint include:

Operation

 

HTTP method

URL

Notes
Create a trust store POST /api/configuration/trust_stores The name of the trust store must be unique.
List trust stores GET /api/configuration/trust_stores

Users who were not given read access to the trust_stores endpoint explicitly, are still able to retrieve information from it, if they have access to other /configuration related endpoints, which reference trust stores.

Examples of trust store referrer ACL (read access):

  • /pages/starlingjoin
  • /config/xcb/aaa/settings
  • /config/scb/pol_ldaps

Query a trust store GET /api/configuration/trust_stores/<id of the trust store>  
Query the built-in trust store GET /api/configuration/trust_stores/-7001  
Update a trust store PUT /api/configuration/trust_stores/<id of the trust store>

Users who were not given access to the trust_stores endpoint explicitly, but are still able to retrieve information from it because they have access to configuration endpoints which reference trust stores, are unable to modify trust stores.

With the exception of /config/xcb/management, where the same access level is granted to the trust stores for the user as they have for /config/xcb/management.

Delete a trust store DELETE /api/configuration/trust_stores/<id of the trust store>  
Sample request

The following command lists the available trust stores:

Querying trust stores request

Response

The following is a sample response received when listing trust stores:

Querying trust stores response

For more information on the meta object, see Message format.

Elements of the response message body include:

Elements of items

 

Type

Description

Notes
items

 

object array

List of JSON objects available from the current endpoint.

 
 

key

string

The ID of the trust store.

Each trust store has a unique key.

The built-in trust store's ID is "-7001".

 

meta

string (uri)

The href field contains the URL of the trust store.

 
 

body

     
Elements of body

 

Type

Description

Notes
body

 

object Top level element.  
 

name

string The name of the trust store.

The name field is set by the user and it must be unique.

For example:

"name": "My_Custom_Trust_Store".

The built-in trust store's name is "Built-in".

 

authorities

 

     
 

crl_urls

string array The crl_urls field contains the list of CRL web addresses (HTTP or HTTPs URLs) used for revocation check.

If a trust store that uses certificate revocation lists (CRLs) does not work properly, it might be due to invalid or inaccessible CRL URLs. Troubleshooting can involve checking whether all URLs of the CA CRL URL list are valid, and can be accessed from the SPS via the Basic Settings / Troubleshooting / Connect to TCP port function in the Web UI.

 

revocation_check

enum

The type of the revocation check.

Possible values: "full", "leaf", "none".

"full" - The crl_urls field must contain CRL URLs for all of the CAs that are part of the chain of a given certificate which is being verified.

"leaf" - The crl_urls field must contain at least the CRL URL of the CA which signed the certificate which is being validated.

"none" - The crl_urls field must be empty.

 

trust_store_type

enum

The type of the trust store.

Possible values: "built-in", "custom".

The built-in trust store comes with the operation system. This type of trust store is read-only. There is no CRL check involved, and it cannot be removed.

Elements of authorities

 

Type

Description

Notes
authorities

 

array List of Certificate Authorities.  
 

fingerprint

     
 

issuer

 

string The name of the entity that signed the certificate.  
 

pem

string The certificate in PEM format.  

 

subject

string

The subject of the certificate.

 

Elements of fingerprint

 

Type

Description

Notes
fingerprint

 

  A two-piece byte sequence consisting of a hash algorithm and a message digest.  
 

digest

string The string of digits produced by the hash algorithm.  
 

hash_algorithm

 

string The name of the hash algorithm.  
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
400 SyntacticError

A value to be set is not accepted syntactically. The details section contains the path that was found to be invalid.

Possible syntactic error messages related to trust store:

  • The user is not allowed to create a built-in trust store or edit or delete the existing one.
  • When revocation_check is set to "none", the crl_urls field must be empty. The user cannot add any element to crl_urls.
  • When revocation_check is set to "full" or "leaf", the crl_urls cannot be empty.

400 SemanticError

The configuration contains semantic errors, inconsistencies or other problems that would put the system into an unreliable state if the configuration had been applied. The details section contains the errors that were found in the configuration.

Possible semantic error messages related to trust store:

  • The name of the trust stores must be unique.
  • The authorities of a trust store must be unique.
  • The CRL URLs of a trust store must be unique.

401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.

Enabling One Identity Safeguard Remote Access without Starling Join

Enable the One Identity Safeguard Remote Access (SRA) feature of One Identity Starling without Starling Join information.

NOTE: You cannot configure Starling Join through the resource configuration endpoint (/api/configuration/starling), only through the dedicated /starling/join endpoint.

URL
GET https://<IP-address-of-SPS>/api/configuration/starling
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Operations

Operations with the /starling endpoint include:

Operation HTTP method URL

Notes

Query One Identity Starling Join without a join to One Identity Starling GET /api/configuration/starling

The value of the join_info field is null.

Query One Identity Starling Join after join GET /api/configuration/starling

The values of the join_info field are environment, product_instance, and product_tims.

Enable SRA PUT /api/configuration/starling

SRA can be enabled only if the node is joined to One Identity Starling. Use the starling/join endpoint to join to One Identity Starling.

Disable SRA PUT /api/configuration/starling

To disable SRA to One Identity Starling, the enabled field must be set to false.

Enable SRA

To enable SRA with the use of the /starling endpoint, you have to:

  1. Open a transaction.

    For more information, see Open a transaction.

  2. Set the enabled parameter of remote_access to true.

    Sample request

    The following command enables SRA to join to One Identity Starling.

    curl --cookie cookies.txt https://<IP-address-of-SPS>/api/configuration/starling
    {
       "join_info": {
         "environment": "prod",
         "product_instance": "starling-joiner-11111111-1111-1111-1111-111111111111",
         "product_tims": "123-456-789"
       },
       "remote_access":
       {
         "enabled": true
       }
    }
    				

    Elements of the request message body include:

    Elements Type Description

    Notes

    join_info object
    join_info.environment string

    The environment of the product.

    Possible values: prod.

    join_info.product_instance string

    The instance of the product.

    join_info.product_tims string

    The TIMS license of the product.

    remote_access  

    To disable SRA to One Identity Starling, the enabled field must be set to false.

    remote_access.enabled boolean

    Enables or disables SRA to One Identity Starling.

    Possible values: true, false

    key Possible values: starling
  3. Commit your changes.

    For more information, see Commit a transaction.

Response

The response is a regular meta object.

For more information on the meta object, see Message format.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Endpoint-specific HTTP response codes for this request:

HTTP response code Status / Error Description
403 RemoteAccessDependsOnStarlingJoinError SRA to One Identity Starling can only be enabled, if the node is joined to One Identity Starling. Use the /starling/join endpoint to join to One Identity Starling.
403 StarlingJoinInfoIsReadOnlyError You cannot join or unjoin from One Identity Starling at the resource configuration endpoint (/api/configuration/starling), as the One Identity Starling join_info field is read-only. Use the /starling/join endpoint to join or unjoin from One Identity Starling.

Standard HTTP response codes for this request:

Managing Starling Join

NOTE: You cannot manage Starling Join through the resource configuration endpoint (/api/configuration/starling), only through the dedicated /starling/join endpoint.

Retrieving One Identity Starling Join information

Check whether your SPS appliance is joined to the One Identity Starling platform.

The /api/starling/join/status endpoint returns the status of the services required for One Identity Starling join.

URL
GET https://<IP-address-of-SPS>/api/starling/join
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Operations

HTTP GET operations with the /starling/join endpoint include:

Operation HTTP method URL

Notes

Querying Starling Join endpoint from a browser without TIMS

GET

 

 

 

/api/starling/join

 

 

 

Headers to be used: Accept: text/html.

 

 

 

Querying Starling Join endpoint when joined from a browser without TIMS

Querying Starling Join info without TIMS

Querying Starling Join info when joined without TIMS

Querying Starling Join endpoint from a browser with TIMS

GET

 

 

 

/api/starling/join?product_tims=<TIMS value>

 

 

 

Example of TIMS value: product_tims=222-333-444

 

 

 

Querying Starling Join endpoint when joined from a browser with TIMS

Querying Starling Join info with TIMS

Querying Starling Join info when joined with TIMS

Sample request

The following command queries the /starling/join endpoint when joined from a browser without TIMS.

curl --cookie cookies.txt https://<IP-address-of-SPS>/api/starling/join
Response

The following is a sample response.

For more information on the meta object, see Message format.

{
   "body":
   {
     "joined": true,
     "product_instance": "starling-joiner-11111111-1111-1111-1111-111111111111",
     "product_name": "Safeguard",
     "product_tims": "123-456-789"
   }
}
		

Elements of the response message body include:

Elements Type Description
joined boolean

Displays whether or not the user is joined to One Identity Starling or unjoined from it.

product_instance string

The instance of the product.

product_name string

The name of the product.

product_tims string The TIMS license of the product.

NOTE: While it is possible to send a POST HTTP request to the /starling/join endpoint, if you want to join your SPS appliance to One Identity Starling, visit the SPS web interface and initiate the join process under Basic Settings > Starling Integration > Start join.

Unjoining SPS from One Identity Starling

Use the /starling/join endpoint to unjoin your SPS appliance from One Identity Starling.

URL
DELETE https://<IP-address-of-SPS>/api/starling/join
Operations

HTTP DELETE operations with the /starling/join endpoint include:

Operation HTTP method URL

Notes

Unjoining One Identity Starling

DELETE

/api/starling/join

Unjoining One Identity Starling in a regular way is not possible while One Identity Safeguard Remote Access (SRA) is enabled. To unjoin One Identity Starling, first you must disable SRA.

Force unjoining One Identity Starling

DELETE

/api/starling/join?force=true

The Force Unjoin functionality works even when SRA is enabled.

HTTP response codes

HTTP response codes comprise of standard or endpoint-specific HTTP status and error codes. The following table lists the endpoint-specific HTTP response codes for this request.

HTTP response code Status / Error Description

400

MissingCredentialStringError

The mandatory credential_string parameter is not specified for One Identity Starling Join.

400

MissingProductInstanceError

The mandatory product_instance parameter is not specified for One Identity Starling Join.

403

OpenTransactionError

The attempt to join to One Identity Starling was unsuccessful, as the transaction was still open. To join to One Identity Starling, you must first close the previous transaction.

403

ForbiddenActionError

Forbidden action. To unjoin from One Identity Starling, use the /starling/join endpoint.

403

StarlingJoinIsInUseByRemoteAccessError

Unjoining One Identity Starling is not allowed while One Identity Safeguard Remote Access (SRA) is in use. Disable SRA in the configuration before unjoining from One Identity Starling.

For more information and a list of standard HTTP response codes, see Application level error codes.

Retrieving the status of services related to Starling Join/Unjoin

Use the /status endpoint to retrieve information about the availability of the services needed for Starling Join or Starling Unjoin.

URL
GET https://<IP-address-of-SPS>/api/starling/status
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Sample request

The following command returns information about the availability of the services needed for Starling Join or Starling Unjoin.

curl --cookie cookies.txt https://<IP-address-of-SPS>/api/starling/status
Response

The following is a sample response.

For more information on the meta object, see Message format.

{
  "internet_connection": {"status": true, "error": "N/A"},
  "meta": {
      "href": "/api/starling/status",
      "parent": "/api/starling",
      "remaining_seconds": 593
  },
  "proxy": true,
  "starling_status": {
      "STS API": "healthy",
      "Microsoft Graph API": "healthy",
      "Salesforce API": "healthy",
      "Database": "healthy"
  },
  "verdict": true
}

Elements of the response message body include:

Elements Type Description
internet_connection object

Indicates whether or not the SPS appliance can connect to the status endpoint (https://accountsupervisor.cloud.oneidentity.com/heartbeat?checkdependencies=true).

internet_connection.error string

The description of the error. If no error occurred, the value is N/A.

internet_connection.status boolean

The value is true if the SPS appliance could connect to the status endpoint.

The value is false if there is no Internet connection.

proxy boolean Indicates whether or not a proxy server is configured.

starling_status

enum

Enumeration of the different One Identity Starling join-related services and their current status.

verdict

boolean

The value is true if SPS can connect to the status page and the relevant service(s) are healthy.

HTTP response codes

Standard HTTP response codes for this request:

For more information and a list of standard HTTP response codes, see Application level error codes.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating