One Identity Safeguard for Privileged Sessions 6.5.0

Message format How to configure SPS using REST How to configure SPS using REST: a sample transaction

Authenticate to the SPS REST API Authenticate to the SPS REST API using X.509 certificate Retrieve user information Checking the transaction status Open a transaction Commit a transaction Delete a transaction Reviewing the changelog of a transaction Application level error codes Navigating the configuration of SPS Modifying the configuration of SPS

Delete an object Create a new object Change an object

Basic settings

Retrieve basic firmware and host information Network settings

Web interface Network configuration options DNS servers Routing between interfaces Naming options Network addresses Routing table Local services of SPS Local services: Web login for administrators Local services: Web login for users Local services: cluster interface System backup policy Encrypting system backup policy

Date and time

Date & time NTP servers Timezone

Logs, monitoring and alerts

Management options Syslog server settings Disk fill-up prevention Mail settings Health monitoring SNMP settings SNMP traps Local services: access for SNMP agents Alerting System alerts Traffic alerts

User management and access control

User management and access control Authentication and user database settings Privileges of usergroups Audit data access rules Active sessions Manage users and usergroups locally on SPS Manage usergroups locally on SPS Manage users locally on SPS

Managing SPS

Troubleshooting options Internal certificates Passwords stored on SPS Private keys stored on SPS Certificates stored on SPS Local services: enabling SSH access to the SPS host RPC API Manage the SPS license Change contact information Splunk integration Splunk integration Manage Safeguard for Privileged Sessions clusters

Promote a Safeguard for Privileged Sessions node to be the Central Management node in a new cluster Join node(s) to the cluster Query join status Assign a role to a node Query nodes Query one particular node Query the status of all nodes in the cluster Query the status of one particular node Upload and enable a configuration synchronization plugin Disable a configuration synchronization plugin

General connection settings

Channel policy Policies Archive/Cleanup policy Audit policies Backup policy Real-time content monitoring with Content Policies LDAP servers Signing CA policies Time policy Trusted Certificate Authorities Local user databases User lists

HTTP connections

HTTP connections HTTP connection policies HTTP channels HTTP authentication policies Global HTTP options HTTP settings policies

Citrix ICA connections

ICA connections ICA connection policies ICA channels Global ICA options ICA settings policies

MSSQL connections

Limitations in handling MSSQL connections MSSQL connections MSSQL connection policies MSSQL channels MSSQL authentication policies Global MSSQL options MSSQL settings policies

RDP connections

RDP connections RDP connection policies RDP channels Configuring domain membership Global RDP options RDP settings policies

SSH connections

SSH connections SSH connection policies SSH channels SSH authentication policies Global SSH options SSH settings policies SSH host keys and certificates

Telnet connections

Telnet connections Telnet connection policies Telnet channels Telnet authentication policies Global Telnet options Telnet pattern sets

VNC connections

VNC connections VNC connection policies Global VNC options

Search, download, and index sessions

Audited sessions Download audit trails Searching in the session database Searching in connection content Generate and retrieve screenshot for content search Session statistics Session histogram Session alerts Session events Indexing sessions Session audit trail downloads Local services: configuring the indexer Indexer policies

Reporting

Reporting Reports Built-in subchapters Pre-defined reports Content subchapters Custom subchapters Connection statistics subchapters

Health and maintenance

Monitor appliance health status

Advanced authentication and authorization

Usermapping policy Plugins

Upload a plugin Delete a plugin

Authentication and authorization plugins

Configuring Authentication and Authorization plugin instances

Credential store plugins Credential stores

Completing the Welcome Wizard using REST

Enable and configure analytics using REST

Enable One Identity Safeguard for Privileged Analytics Configure One Identity Safeguard for Privileged Analytics

Alerting

Basic settings > Logs, monitoring and alerts > Alerting

Contains the endpoints for configuring alerting on SPS.

URL

GET https://<IP-address-of-SPS>/api/configuration/alerting

Cookies

Cookie name	Description	Required	Values
session_id	Contains the authentication token of the user	Required	The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API. Note that this session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Cookie name

Description

Required

Values

session_id

Contains the authentication token of the user

Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API.

Note that this session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Sample request

The following command lists alerting configuration endpoints.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/alerting

Response

The following is a sample response received when listing alerting configuration endpoints.

For details of the meta object, see Message format.

{
  "items": [
    {
      "key": "system_alerts",
      "meta": {
        "href": "/api/configuration/alerting/system_alerts"
      }
    },
    {
      "key": "traffic_alerts",
      "meta": {
        "href": "/api/configuration/alerting/traffic_alerts"
      }
    }
  ],
  "meta": {
    "first": "/api/configuration/aaa",
    "href": "/api/configuration/alerting",
    "last": "/api/configuration/x509",
    "next": "/api/configuration/datetime",
    "parent": "/api/configuration",
    "previous": "/api/configuration/aaa",
    "transaction": "/api/transaction"
  }
}

Element	Description
system_alerts	Configuration options for system-related alerts.
traffic_alerts	Configuration options for traffic-related alerts.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code	Description	Notes
401	Unauthenticated	The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403	Unauthorized	The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
404	NotFound	The requested object does not exist.

System alerts

Basic settings > Logs, monitoring and alerts > System alerts

Configuration options for sending system-related alerts.

E-mail alerts, when enabled, are sent to the e-mail address configured in the alerting_address element of the /api/configuration/management/email endoint.

SNMP alerts, when enabled, are sent to the SNMP server configured at the /api/configuration/management/snmp/trap endpoint.

URL

GET https://<IP-address-of-SPS>/api/configuration/alerting/system_alerts

Cookies

Cookie name	Description	Required	Values
session_id	Contains the authentication token of the user	Required	The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API. Note that this session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Cookie name

Description

Required

Values

session_id

Contains the authentication token of the user

Required

Sample request

The following command lists configuration options for system-related alerts.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/alerting/system_alerts

Response

The following is a sample response received when listing configuration options for system-related alerts.

For details of the meta object, see Message format.

{
  "body": {
    "xcbAlert": {
      "email": false,
      "snmp": false
    },
    "xcbArchiveFailed": {
      "email": false,
      "snmp": false
    },
    "xcbBackupFailed": {
      "email": false,
      "snmp": false
    },
    "xcbBruteForceAttempt": {
      "email": false,
      "snmp": false
    },
    "xcbConfigChange": {
      "email": false,
      "snmp": false
    },
    "xcbDBError": {
      "email": false,
      "snmp": false
    },
    "xcbDiskFull": {
      "email": false,
      "snmp": false
    },
    "xcbError": {
      "email": false,
      "snmp": false
    },
    "xcbFirmwareTainted": {
      "email": false,
      "snmp": false
    },
    "xcbHWError": {
      "email": false,
      "snmp": false
    },
    "xcbHaNodeChanged": {
      "email": false,
      "snmp": false
    },
    "xcbLicenseAlmostExpired": {
      "email": false,
      "snmp": false
    },
    "xcbLimitReached": {
      "email": false,
      "snmp": false
    },
    "xcbLoadAvgHigh": {
      "email": false,
      "snmp": false
    },
    "xcbLogin": {
      "email": false,
      "snmp": false
    },
    "xcbLoginFailure": {
      "email": false,
      "snmp": false
    },
    "xcbLogout": {
      "email": false,
      "snmp": false
    },
    "xcbRaidStatus": {
      "email": false,
      "snmp": false
    },
    "xcbSwapFull": {
      "email": false,
      "snmp": false
    },
    "xcbTimeSyncLost": {
      "email": false,
      "snmp": false
    },
    "xcbTimestampError": {
      "email": false,
      "snmp": false
    }
  },
  "key": "system_alerts",
  "meta": {
    "first": "/api/configuration/alerting/system_alerts",
    "href": "/api/configuration/alerting/system_alerts",
    "last": "/api/configuration/alerting/traffic_alerts",
    "next": "/api/configuration/alerting/traffic_alerts",
    "parent": "/api/configuration/alerting",
    "previous": null,
    "transaction": "/api/transaction"
  }
}

Element			Type	Description
key			string	Top level element, contains the ID of the endpoint.
body			Top level element (string)	Contains the configuration options for system-related alerts.
	xcbAlert		Top level item	General alert.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbArchiveFailed		Top level item	Data archiving failure.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbBackupFailed		Top level item	Data and configuration backup failure.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbBruteForceAttempt		Top level item	Too many successive failed login attempts.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbConfigChange		Top level item	Configuration change.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbDBError		Top level item	Database error occured.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbDiskFull		Top level item	Disk utilization reached the percentage configured in the maximum_disk_utilization_ratio element of the api/configuration/management/monitoring endpoint.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbError		Top level item	General error.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbFirmwareTainted		Top level item	The firmware is tainted.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbHWError		Top level item	Hardware error.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbHaNodeChanged		Top level item	HA node state changed.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbLicenseAlmostExpired		Top level item	License expires soon.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbLimitReached		Top level item	License limit reached.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbLoadAvgHigh		Top level item	The average load exceeded any of the values configured in the maximum_load1, maximum_load5 or maximum_load15 elements of the api/configuration/management/monitoring endpoint.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbLogin		Top level item	Successful login.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbLoginFailure		Top level item	Failed login.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbLogout		Top level item	Logout from the web configuration interface.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbRaidStatus		Top level item	RAID status changed.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbSwapFull		Top level item	The utilization of the swap exceeded the value configured in the maximum_swap_utilization_ratio element of the api/configuration/management/monitoring endpoint.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbTimeSyncLost		Top level item	Time sync lost.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	xcbTimestampError		Top level item	Time stamping error.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.

Modify a system-related alert

To enable or disable an alert, you have to:

Open a transaction.

For details, see Open a transaction.
Modify the JSON object of the endpoint.

PUT the modified JSON object to the https://<IP-address-of-SPS>/api/configuration/alerting/system_alerts endpoint. You can find a detailed description of the available parameters listed in Element .
Commit your changes.

For details, see Commit a transaction.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code	Description	Notes
201	Created	The new resource was successfully created.
401	Unauthenticated	The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403	Unauthorized	The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
404	NotFound	The requested object does not exist.

Traffic alerts

Basic settings > Logs, monitoring and alerts > Traffic alerts

Configuration options for sending traffic-related alerts.

E-mail alerts, when enabled, are sent to the e-mail address configured in the alerting_address element of the /api/configuration/management/email endoint.

SNMP alerts, when enabled, are sent to the SNMP server configured at the /api/configuration/management/snmp/trap endpoint.

URL

GET https://<IP-address-of-SPS>/api/configuration/alerting/traffic_alerts

Cookies

Cookie name	Description	Required	Values
session_id	Contains the authentication token of the user	Required	The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API. Note that this session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Cookie name

Description

Required

Values

session_id

Contains the authentication token of the user

Required

Sample request

The following command lists the configuration options for traffic-related alerts..

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/alerting/traffic_alerts

Response

The following is a sample response received when listing the configuration options for traffic-related alerts.

For details of the meta object, see Message format.

{
  "body": {
    "scbAuthFailure": {
      "email": false,
      "snmp": false
    },
    "scbAuthSuccess": {
      "email": false,
      "snmp": false
    },
    "scbChannelDenied": {
      "email": false,
      "snmp": false
    },
    "scbConnectionDenied": {
      "email": false,
      "snmp": false
    },
    "scbConnectionFailed": {
      "email": false,
      "snmp": false
    },
    "scbConnectionTimedout": {
      "email": false,
      "snmp": false
    },
    "scbCredStoreClosed": {
      "email": false,
      "snmp": false
    },
    "scbCredStoreDecryptError": {
      "email": false,
      "snmp": false
    },
    "scbCredStoreUnlockFailure": {
      "email": false,
      "snmp": false
    },
    "scbGWAuthFailure": {
      "email": false,
      "snmp": false
    },
    "scbGWAuthSuccess": {
      "email": false,
      "snmp": false
    },
    "scbProtocolViolation": {
      "email": false,
      "snmp": false
    },
    "scbRealTimeAlert": {
      "email": false,
      "snmp": false
    },
    "scbSshHostKeyLearned": {
      "email": false,
      "snmp": false
    },
    "scbSshHostKeyMismatch": {
      "email": false,
      "snmp": false
    },
    "scbUserMappingFailure": {
      "email": false,
      "snmp": false
    }
  },
  "key": "traffic_alerts",
  "meta": {
    "first": "/api/configuration/alerting/system_alerts",
    "href": "/api/configuration/alerting/traffic_alerts",
    "last": "/api/configuration/alerting/traffic_alerts",
    "next": null,
    "parent": "/api/configuration/alerting",
    "previous": "/api/configuration/alerting/system_alerts",
    "transaction": "/api/transaction"
  }
}

Element			Type	Description
key			string	Top level element, contains the ID of the endpoint.
body			Top level element (string)	Contains the configuration options for traffic-related alerts.
	scbAuthFailure		Top level item	User authentication failed.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbAuthSuccess		Top level item	Successful user authentication.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbChannelDenied		Top level item	Channel opening denied.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbConnectionDenied		Top level item	Connection denied.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbConnectionFailed		Top level item	Connection to the server failed.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbConnectionTimedout		Top level item	Connection timed out.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbCredStoreClosed		Top level item	The requested credential store is closed.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbCredStoreDecryptError		Top level item	Failure to decrypt a credential.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbCredStoreUnlockFailure		Top level item	Failure to unlock the credential store.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbGWAuthFailure		Top level item	The user failed to authenticate on the gateway.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbGWAuthSuccess		Top level item	Successful authentication on the gateway.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbProtocolViolation		Top level item	Protocol violation.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbRealTimeAlert		Top level item	Real-time audit event detected.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbSshHostKeyLearned		Top level item	New SSH hostkey learned.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbSshHostKeyMismatch		Top level item	SSH host key mismatch.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.
	scbUserMappingFailure		Top level item	User mapping failed on the gateway.
		email	boolean	Set to true to enable e-mail alerts.
		snmp	boolean	Set to true to enable SNMP alerts.

Modify a traffic-related alert

To enable or disable an alert, you have to:

Open a transaction.

For details, see Open a transaction.
Modify the JSON object of the endpoint.

PUT the modified JSON object to the https://<IP-address-of-SPS>/api/configuration/alerting/traffic_alerts endpoint. You can find a detailed description of the available parameters listed in Element .
Commit your changes.

For details, see Commit a transaction.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code	Description	Notes
201	Created	The new resource was successfully created.
401	Unauthenticated	The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403	Unauthorized	The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
404	NotFound	The requested object does not exist.