Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 8.0 LTS - REST API Reference Guide

Introduction Using the SPS REST API Basic settings User management and access control Managing SPS General connection settings HTTP connections Citrix ICA connections MSSQL connections RDP connections SSH connections Telnet connections VNC connections Search, retrieve, download, and index sessions Reporting Health and maintenance Advanced authentication and authorization Completing the Welcome Wizard using REST Enable and configure analytics using REST REST API examples

Upload and enable a configuration synchronization plugin

Nodes fetch their configuration from the Central management node, and merge it into their own configuration. Depending on their role, nodes may merge the whole configuration into their own (Managed host nodes), or only the cluster-specific parts (nodes with no roles assigned). Whenever a configuration change is made on the Central management node and the change is committed, it is synchronized to all nodes in the cluster as soon as the nodes fetch the latest configuration from the Central management node.

When synchronizing the central configuration across nodes, you may want to:

  • Keep certain parts in the configuration of individual nodes unchanged.

  • Customize certain parts of the central configuration to specific needs of individual nodes in the cluster (for example, your nodes may access external services through different network addresses).

You can achieve all of these by using a configuration synchronization plugin that contains transformations for the problematic parts. The plugin only runs on nodes that have the Managed host role.

Customizing certain parts or features of a node using a configuration synchronization plugin has the same limitations as configuring One Identity Safeguard for Privileged Sessions (SPS) through the REST API. In other words, whatever you can configure through the REST API, you can configure the exact same settings using the plugin. One notable difference between the REST API and the plugin is that using the REST API, you can only read certain types of data (such as keys and passwords), while using the configuration synchronization plugin, you can write these types of data as well.

Data structures in the plugin are represented as nested JSON objects. For object references, the plugin uses keys.

The plugin works with the following key parameters:

  • local_config: The current configuration of a Managed Host node (those parts that can be configured through the REST API).
  • merged_config: The configuration of the Central management node that is about to be synced to the Managed host node (those parts that can be configured through the REST API), with settings related to networking, local services, and management whitelisted. These settings are never overwritten by configuration synchronization.
  • node_id: The unique ID of the Managed host node in the cluster (you can retrieve this identifier by querying the /api/cluster/nodes endpoint through the REST API).
  • plugin_config: The configuration of the plugin provided as free-form text. Specifying the configuration of the plugin is optional. It enables you to run configuration synchronization on each cluster with different parameters if you have multiple clusters.
Example: Customizing an IP address in a connection policy

For example, an RDP connection policy on a Managed host node specifies the following client and target addresses:

$ curl ... https://<url-of-Central-Management-node>/api/configuration/rdp/connections/<id-of-the-connection-policy>

{
    "body": {
        "network": {
            "clients": [
                "0.0.0.0/0"
                ],
            "ports": [
                3389
                ],
           "targets": [
               "10.30.255.28/24"
               ]
        },
    },
    ...
}

In the following example, an RDP connection policy is configured with the following details on the Central management node:

$ curl ... https://<url-of-Managed-Node>/api/configuration/rdp/connections/<id-of-the-connection-policy>

{
    "body": {
        "network": {
            "clients": [
                "0.0.0.0/0"
                ],
            "ports": [
                3389
                ],
           "targets": [
               "10.30.255.8/24"
               ]
        },
    },
    ...
}

To ensure that the details of the connection policy on the Managed host node are kept as-is after configuration synchronization, add the following lines to the plugin main.py file:

$ cat main.py
def merge(local_config: dict, merged_config: dict, node_id: str, plugin_config: str, **kwargs):
    merged_config['rdp']['connections'][<id-of-the-connection-policy>]['network']['targets'][0] = "10.30.255.8/24"
    return merged_config

Due to possible new (as yet undefined) parameters, it is good practice to close the parameter list of the merge function with **kwargs.

If you need assistance with writing customized transformations, contact our Professional Services Team, and a One Identity Service Delivery Engineer will help you.

NOTE: Configuration settings related to networking (/api/configuration/network), local services (/api/configuration/local_services), and the management of SPS (/api/configuration/management) are not overwritten on the nodes by configuration synchronization even when not using a plugin.

To upload a configuration synchronization plugin to the Central Management node, complete the following steps.

  1. Open a transaction.

    For more information, see Open a transaction.

  2. Upload the plugin file.

    POST the plugin as a zip file (application/zip) to the https://<IP-address-of-Central-Management-node>/api/upload/plugins endpoint, for example:

    curl -X POST -H "Content-Type: application/zip" --cookie cookies.txt https://<IP-address-of-Central-Management-node>/api/upload/plugins --data-binary @<path-to-plugin.zip>

    The following is a sample response received.

    For more information on the meta object, see Message format.

    {
        "body": {
            "api": "1.0",
            "default_configuration": "",
            "description": "Whitelist the list of paths when merging the configuration",
            "name": "whitelist",
            "path": "/opt/scb/var/plugins/configuration_sync/whitelist",
            "scb_max_version": "",
            "scb_min_version": "",
            "version": "1.0"
        },
        "key": "794a5e17-b8be-4426-8596-0dfc129c06ef",
        "meta": {
            "href": "/api/configuration/plugins/configuration_sync/794a5e17-b8be-4426-8596-0dfc129c06ef",
            "parent": "/api/configuration/plugins/configuration_sync",
            "remaining_seconds": 599
        }
    }
    Elements Type Description
    body Top-level element (JSON object)
    api string Always "1.0".
    default_configuration string Contains the default configuration of the plugin if there is one.
    description string The description of what the plugin does.
    name string The name of the plugin.
    path string The path to the plugin.
    scb_max_version string The plugin is compatible with SPS versions not later than this one.
    scb_min_version string The plugin is compatible with SPS versions not earlier than this one.
    version string The version number of the plugin.
    key string The ID of the plugin.
  3. To enable the plugin

    Replace /api/cluster/configuration_sync_plugin with:

    {
        "enabled": true,
        "plugin": "<'key' from-response-of-last-creation>",
        "configuration": ""
    }

    For example:

    curl -X POST -H "Content-Type: application/json" --cookie cookies.txt https://<IP-address-of-Central-Management-node>/api/cluster/configuration_sync_plugin --data '{"enabled": true, "plugin": "794a5e17-b8be-4426-8596-0dfc129c06ef", "configuration": ""}'

    The following is a sample response received:

    {
        "plugin": {
            "key": "794a5e17-b8be-4426-8596-0dfc129c06ef",
            "meta": {
                "href": "/api/configuration/plugins/configuration_sync/794a5e17-b8be-4426-8596-0dfc129c06ef"
            }
        }
    }
  4. Commit your changes.

    For more information, see Commit a transaction.

Disable a configuration synchronization plugin

To disable a configuration synchronization plugin on the Central Management node, complete the following steps.

  1. Open a transaction.

    For more information, see Open a transaction.

  2. To disable the plugin, replace /api/cluster/configuration_sync_plugin with:
    {
        "enabled": false
    }

    For example:

    curl -X POST -H "Content-Type: application/json" --cookie cookies.txt https://<IP-address-of-Central-Management-node>/api/cluster/configuration_sync_plugin --data '{"enabled": false}'

    The following is a sample response received:

    {
        "plugin": {
            "key": null,
            "meta": {}
        }
    }
  3. Commit your changes.

    For more information, see Commit a transaction.

Configuration tools in SPS

A list of tools that can help with the configuration of SPS.

URL
GET https://<IP-address-of-SPS>/api/tools/
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Sample request

The following command lists available configuration tools in SPS.

curl -X GET -b "${COOKIE_PATH}" https://<IP-address-of-SPS>/api/tools/
Response

The following is a sample response received when the available configuration tools are listed.

For more information on the meta object, see Message format.

{
     "items": [
       {
         "key": "hosts-by-name",
         "meta": {
           "href": "/api/tools/hosts-by-name"
         }
       },
       {
         "key": "ldaptest",
         "meta": {
           "href": "/api/tools/ldaptest"
         }
       }
     ],
     }
Item

Description

Resolving hostnames to IP addresses

Resolve the hostname of a computer or server to IP addresses.

Testing LDAP server connection Test LDAP server connection.
HTTP response codes

For more information and a list of standard HTTP response codes, see Application level error codes.

Resolving hostnames to IP addresses

SPS configuration requires you to set IP addresses as values. Resolve the hostname of a computer or server with the /hosts-by-name endpoint to receive the list of all related IP addresses that you can use for configuration.

NOTE: The protocol parameter can only take the following two values: TCP and UDP. Anything else will return an error message.

URL
POST https://<IP-address-of-SPS>/api/tools/hosts-by-name
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.

NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Sample request

The following command resolves the hostname to IP addresses.

curl -X POST -b "${COOKIE_PATH}" https://<IP-address-of-SPS>/api/tools/hosts-by-name
{
     "hostname": "example.org",
     "protocol": "TCP"
    }

Elements of the request message body include:

Element

Type

Required

Description

Notes

hostname

string

Required

The unique identifier that serves as the name of the computer or server whose IP address you want to resolve.

protocol

string

Required

The type of Internet Protocol used to address and route packets of data.

Possible values are:

  • TCP

  • UDP

Response

When resolving a hostname to IP addresses, the response is the following.

For more information on the meta object, see Message format.

{
     "ipv4": [
       "93.184.216.34",
       "93.184.216.35"
     ],
     "ipv6": [
       "2606:2800:220:1:248:1893:25c8:1946",
       "2606:2800:220:1:248:1893:25c8:1947"
     ]
   }

Elements of the response message body include:

Element

Type

Description

Notes

ipv4

string array

The Internet Protocol type of the IP addresses is version 4.

ipv6

string array

The Internet Protocol type of the IP addresses is version 6.

HTTP response codes

HTTP response codes comprise of standard or endpoint-specific HTTP status and error codes. The following table lists the endpoint-specific HTTP response codes for this request.

HTTP response code Status/Error Description
400

Syntactic Error

The protocol you provided is not valid. Use TCP or UDP as value instead.

400

HostnameCannotBeResolved

The hostname you provided cannot be resolved. Check the following:

  • The hostname you provided is valid.

  • The hostname is available on the Internet.

401 Unauthenticated

Unauthenticated users cannot query the IP addresses of a host.

For more information and a list of standard HTTP response codes, see Application level error codes.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating