Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.0.10 - REST API Reference Guide

Introduction Using the SPS REST API Basic settings User management and access control Managing SPS General connection settings HTTP connections Citrix ICA connections RDP connections SSH connections Telnet connections VNC connections Search, download, and index sessions Reporting Health and maintenance Advanced authentication and authorization Completing the Welcome Wizard using REST Enable and configure analytics using REST

Upload and enable a configuration synchronization plugin

Nodes fetch their configuration from the Central Management node, and merge it into their own configuration. Depending on their role, nodes may merge the whole configuration into their own (Managed Host nodes), or only the cluster-specific parts (nodes with no roles assigned). Whenever a configuration change is made on the Central Management node and the change is committed, it is synchronized to all nodes in the cluster as soon as the nodes fetch the latest configuration from the Central Management node.

When synchronizing the central configuration across nodes, you may want to:

  • Keep certain parts in the configuration of individual nodes as-is.

  • Tailor certain parts of the central configuration to specific needs of individual nodes in the cluster (for example, your nodes may access external services at different network addresses).

You can achieve all of these by using a configuration synchronization plugin that contains transformations for the problematic parts. The plugin only runs on nodes that have the Managed Host role.

Customizing certain parts or features of a node using a configuration synchronization plugin has the same limitations as configuring SPS through the REST API. In other words, whatever you can configure through the REST API, you can configure the exact same settings using the plugin. One notable difference between the REST API and the plugin is that using the REST API, you can only read certain types of data (such as keys and passwords), while using the configuration synchronization plugin, you can write these types of data as well.

Data structures in the plugin are represented as nested JSON objects. For object references, the plugin uses keys.

The plugin works with the following key parameters:

  • local_config: The current configuration of a Managed Host node (those parts that can be configured through the REST API).
  • merged_config: The configuration of the Central Management node that is about to be synced to the Managed Host node (those parts that can be configured through the REST API), with settings related to networking, local services, management, and the license of SPS whitelisted. These settings are never overwritten by configuration synchronization.
  • node_id: The unique ID of the Managed Host node in the cluster (you can retrieve this identifier by querying the /api/cluster/nodes endpoint through the REST API).
  • plugin_config: The configuration of the plugin provided as free-form text. Specifying the configuration of the plugin is optional. It enables you to run configuration synchronization on each cluster with different parameters if you have multiple clusters.
Example: Customizing an IP address in a connection policy

For example, an RDP connection policy on a Managed Host node specifies the following client and target addresses:

$ curl ... https://<url-of-Central-Management-node>/api/configuration/rdp/connections/<id-of-the-connection-policy> 

{
    "body": {
        "network": {
            "clients": [
                "0.0.0.0/0"
                ],
            "ports": [
                3389
                ],
           "targets": [
               "10.30.255.28/24"
               ]
        },
    },
    ...
}

Let's suppose that on the Central Management node, an RDP connection policy is configured with these details:

$ curl ... https://<url-of-Managed-Node>/api/configuration/rdp/connections/<id-of-the-connection-policy> 

{
    "body": {
        "network": {
            "clients": [
                "0.0.0.0/0"
                ],
            "ports": [
                3389
                ],
           "targets": [
               "10.30.255.8/24"
               ]
        },
    },
    ...
}

To ensure that the details of the connection policy on the Managed Host node are kept as-is after configuration synchronization, add the following lines to the plugin main.py file:

$ cat main.py
def merge(local_config: dict, merged_config: dict, node_id: str, plugin_config: str, **kwargs):
    merged_config['rdp']['connections'][<id-of-the-connection-policy>]['network']['targets'][0] = "10.30.255.8/24"
    return merged_config

Due to possible new (as yet undefined) parameters, it is good practice to close the parameter list of the merge function with **kwargs.

In case you need assistance with writing customized transformations, contact our Professional Services Team, and a One Identity Service Delivery Engineer will be able to help you.

 NOTE:

Configuration settings related to networking (/api/configuration/network), local services (/api/configuration/local_services), and the management of SPS (/api/configuration/management) are not overwritten on the nodes by configuration synchronization even when not using a plugin.

To upload a configuration synchronization plugin to the Central Management node, complete the following steps.

  1. Open a transaction.

    For details, see Open a transaction.

  2. Upload the plugin file.

    POST the plugin as a zip file (application/zip) to the https://<IP-address-of-Central-Management-node>/api/upload/pluginsendpoint, for example:

    curl -X POST -H "Content-Type: application/zip" --cookie cookies https://<IP-address-of-Central-Management-node>/api/upload/plugins --data-binary @<path-to-plugin.zip>

    The following is a sample response received.

    For details of the meta object, see Message format.

    {
    "body": {
        "api": "1.0",
        "default_configuration": "",
        "description": "Whitelist the list of paths when merging the configuration",
        "name": "whitelist",
        "path": "/opt/scb/var/plugins/configuration_sync/whitelist",
        "scb_max_version": "",
        "scb_min_version": "",
        "version": "1.0"
    },
    "key": "794a5e17-b8be-4426-8596-0dfc129c06ef",
    "meta": {
        "href": "/api/configuration/plugins/configuration_sync/794a5e17-b8be-4426-8596-0dfc129c06ef",
        "parent": "/api/configuration/plugins/configuration_sync",
        "remaining_seconds": 599
    }
}
    Elements Type Description
    body Top-level element (JSON object)
    api string Always "1.0".
    default_configuration string Contains the default configuration of the plugin if there is one.
    description string The description of what the plugin does.
    name string The name of the plugin.
    path string The path to the plugin.
    scb_max_version string The plugin is compatible with SPS versions not later than this one.
    scb_min_version string The plugin is compatible with SPS versions not earlier than this one.
    version string The version number of the plugin.
    key string The ID of the plugin.
  3. To enable the plugin, replace /api/cluster/configuration_sync_plugin with:
    {
    "enabled": true,
    "plugin": "<'key' from-response-of-last-creation>",
    "configuration": ""
}

    For example:

    curl -X POST -H "Content-Type: application/json" --cookie cookies https://<IP-address-of-Central-Management-node>/api/cluster/configuration_sync_plugin --data '{"enabled": true, "plugin": "794a5e17-b8be-4426-8596-0dfc129c06ef", "configuration": ""}'

    The following is a sample response received:

    {
    "plugin": {
        "key": "794a5e17-b8be-4426-8596-0dfc129c06ef",
        "meta": {
            "href": "/api/configuration/plugins/configuration_sync/794a5e17-b8be-4426-8596-0dfc129c06ef"
        }
    }
}
  4. Commit your changes.

    For details, see Commit a transaction.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating