立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Sessions 6.5.0 - REST API Reference Guide

Introduction Using the SPS REST API Basic settings User management and access control Managing SPS General connection settings HTTP connections Citrix ICA connections MSSQL connections RDP connections SSH connections Telnet connections VNC connections Search, download, and index sessions Reporting Health and maintenance Advanced authentication and authorization Completing the Welcome Wizard using REST Enable and configure analytics using REST

Authentication and authorization plugins

The authentication and authorization (AA) plugins used on SPS. To upload or update a plugin, see Upload a plugin.

URL
GET https://<IP-address-of-SPS>/api/configuration/plugins/aa
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API.

Note that this session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Sample request

The following command queries the list of AA plugins used on SPS.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/plugins/aa

The following command retrieves the properties of a specific plugin.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/plugins/aa/<plugin-id>
Response

The following is a sample response received when querying the list of AAA plugins used on SPS.

For details of the meta object, see Message format.

{
  "items": [
    {
      "key": "2080160955734bb2a1ddf9",
      "meta": {
        "href": "/api/configuration/plugins/aa/2080160955734bb2a1ddf9"
      }
    }
  ],
  "meta": {
    "first": "/api/configuration/plugins/aa",
    "href": "/api/configuration/plugins/aa",
    "last": "/api/configuration/plugins/ticketing",
    "next": "/api/configuration/plugins/credentialstore",
    "parent": "/api/configuration/plugins",
    "previous": null,
    "transaction": "/api/transaction"
  }
}

When retrieving the endpoint of a specific plugin, the response is the following.

{
  "body": {
    "api": "1.0",
    "description": "test1",
    "name": "AAPluginExample",
    "version": "1.1",
    "path": "/opt/scb/var/plugins/customgwauthplugin",
    "scb_max_version": "",
    "scb_min_version": "",
    "default_configuration": "",
    "entry_point": null,
    "sha256sum": "c4bb901de6b2274dcb94f1eec429fd0f3565ac792a856b07b8895e56ca2d8f42"
  },
  "key": "2080160955734bb2a1ddf9",
  "meta": {
    "first": "/api/configuration/plugins/aa/2080160955734bb2a1ddf9",
    "href": "/api/configuration/plugins/aa/2080160955734bb2a1ddf9",
    "last": "/api/configuration/plugins/aa/2080160955734bb2a1ddf9",
    "next": null,
    "parent": "/api/configuration/plugins/aa",
    "previous": null,
    "transaction": "/api/transaction"
  }
}
Element Type Description
key string Top level element, contains the ID of the plugin.
body Top level element (string) Contains the properties of the plugin.
api string The API version of the plugin.
description string The description of the plugin. This description is also displayed on the SPS web interface.
default_configuration string The default configuration of the plugin (an INI file as a string). For details, see the documentation of the particular plugin.
entry_point string The entry point of the plugin, for example, main.py
name string The name of the plugin. This name is also displayed on the SPS web interface. It cannot contain whitespace.
path string The path where the plugin is stored on SPS.
scb_max_version string The version number of the latest SPS release that is compatible with the plugin.
scb_min_version string The version number of the earliest SPS release that is compatible with the plugin.
sha256sum string The SHA-256 checksum of the plugin.
version string The version number of the plugin.

To configure a particular instance of a plugin, use the /api/coniguration/policies/aa_plugin_instances/<key-of-the-plugin-instance> endpoint.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
404 NotFound The requested object does not exist.

Configuring Authentication and Authorization plugin instances

You can configure instances of Authentication and Authorization (AA) plugins to use in your Connection Policies. To configure an instance of a plugin you must first upload the plugin to SPS. To upload or update a plugin, see Upload a plugin.

URL
GET https://<IP-address-of-SPS>/api/configuration/policies/aa_plugin_instances
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API.

Note that this session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Sample request

The following command queries the list of AA plugin instances available on SPS.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/policies/aa_plugin_instances

The following command retrieves the properties of a specific instance.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/policies/aa_plugin_instances/<plugin-id>
Response

The following is a sample response received when querying the list of AA plugins used on SPS.

For details of the meta object, see Message format.

{
  "items": [
    {
        "name": "new_plugin_instance",
        "configuration": "test configuration",
        "plugin": "8876228625d67aa91e2253"
    }
  ],
  "meta": {
    "first": "/api/configuration/policies/aa_plugin_instances",
    "href": "/api/configuration/policies/aa_plugin_instances",
    "last": "/api/configuration/policies/usermapping_policies",
    "next": "/api/configuration/policies/analytics",
    "parent": "/api/configuration/policies",
    "previous": null,
    "remaining_seconds": 600,
    "transaction": "/api/transaction"
  }
}

When retrieving the endpoint of a specific plugin instance, the response is the following.

{
    "body": {
        "configuration": "[starling]\n# ..... disable_echo=yes\n",
        "name": "Demo_starling_plugin",
        "plugin": {
            "key": "8876228625d67aa91e2253",
            "meta": {
                "href": "/api/configuration/plugins/aa/8876228625d67aa91e2253"
            }
        }
    },
    "key": "8114402005d67adbeb38b6",
    "meta": {
        "first": "/api/configuration/policies/aa_plugin_instances/8114402005d67adbeb38b6",
        "href": "/api/configuration/policies/aa_plugin_instances/8114402005d67adbeb38b6",
        "last": "/api/configuration/policies/aa_plugin_instances/8114402005d67adbeb38b6",
        "next": null,
        "parent": "/api/configuration/policies/aa_plugin_instances",
        "previous": null,
        "remaining_seconds": 600,
        "transaction": "/api/transaction"
    }
}
Element Type Description
key string Top level element, contains the ID of the plugin instance.
body Top level element (string) Contains the properties of the plugin instance.
configuration string The configuration of the plugin instance (an INI file as a string). For details, see the documentation of the particular plugin.
name string The name of the plugin instance. This field can contain only letters (a-z, A-Z), numbers (0-9) and the underscore (_) character, and must begin with a letter.
plugin JSON object

Contains the details of the plugin object that this instance refers to: the ID of the plugin and its endpoint, for example,

"plugin": {
    "key": "8876228625d67aa91e2253",
    "meta": {
        "href": "/api/configuration/plugins/aa/8876228625d67aa91e2253"
    }
}
Create a new plugin instance

To create a new instance of a plugin, you have to:

  1. Open a transaction.

    For details, see Open a transaction.

  2. Create the JSON object of the plugin instance.

    POST the JSON object to the https://<IP-address-of-SPS>/api/configuration/policies/aa_plugin_instances endpoint. You can find a detailed description of the available parameters listed in Configuring Authentication and Authorization plugin instances.

  3. Commit your changes.

    For details, see Commit a transaction.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
400 SemanticError The configuration of the instance is invalid. Check the error key in the response for details.
Modify a plugin instance

To modify an instance of a plugin, you have to:

  1. Open a transaction.

    For details, see Open a transaction.

  2. Modify the JSON object of the policy.

    PUT the modified JSON object to the https://<IP-address-of-SPS>/api/configuration/policies/aa_plugin_instances/<key-of-the-instance> endpoint.

  3. Commit your changes.

    For details, see Commit a transaction.

Delete a plugin instance

To delete an instance of a plugin, you have to:

  1. Open a transaction.

    For details, see Open a transaction.

  2. Remove any references to the plugin instance from your Connection Policies. You cannot delete a plugin instance that other parts of the configuration actively use.

  3. Delete the endpoint of the plugin instance.

    DELETE the https://<IP-address-of-SPS>/api/configuration/policies/aa_plugin_instances/<key-of-the-instance> endpoint.

  4. Commit your changes.

    For details, see Commit a transaction.

Credential store plugins

The credential store plugins used on SPS. To upload or update a plugin, see Upload a plugin.

URL
GET https://<IP-address-of-SPS>/api/configuration/plugins/credentialstore
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API.

Note that this session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Sample request

The following command lists the credential store plugins stored on SPS.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/plugins/credentialstore

The following command retrieves the properties of a specific plugin.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/plugins/credentialstore/<plugin-id>
Response

The following is a sample response received when listing the credential store plugins used on SPS.

For details of the meta object, see Message format.

{
  "items": [
    {
      "key": "2534221015734bb18aaf32",
      "meta": {
        "href": "/api/configuration/plugins/credentialstore/2534221015734bb18aaf32"
      }
    }
  ],
  "meta": {
    "first": "/api/configuration/plugins/aa",
    "href": "/api/configuration/plugins/credentialstore",
    "last": "/api/configuration/plugins/ticketing",
    "next": "/api/configuration/plugins/ticketing",
    "parent": "/api/configuration/plugins",
    "previous": "/api/configuration/plugins/aa",
    "transaction": "/api/transaction"
  }
}

When retrieving the endpoint of a specific plugin, the response is the following.

{
  "body": {
    "api": "1.0",
    "description": "Demo credentialstore plugin for demonstration purposes",
    "name": "DemoCredentialStorePlugin",
    "path": "/opt/scb/var/plugins/credentialstore/DemoCredentialStorePlugin",
    "version": "1.1",
    "scb_max_version": "",
    "scb_min_version": "",
    "default_configuration": "",
    "entry_point": null,
    "sha256sum": "c4bb901de6b2274dcb94f1eec429fd0f3565ac792a856b07b8895e56ca2d8f42"
  },
  "key": "2534221015734bb18aaf32",
  "meta": {
    "first": "/api/configuration/plugins/credentialstore/2534221015734bb18aaf32",
    "href": "/api/configuration/plugins/credentialstore/2534221015734bb18aaf32",
    "last": "/api/configuration/plugins/credentialstore/2534221015734bb18aaf32",
    "next": null,
    "parent": "/api/configuration/plugins/credentialstore",
    "previous": null,
    "transaction": "/api/transaction"
  }
}
Element Type Description
key string Top level element, contains the ID of the plugin.
body Top level element (string) Contains the properties of the plugin.
api string The API version of the plugin.
description string The description of the plugin. This description is also displayed on the SPS web interface.
default_configuration string The default configuration of the plugin (an INI file as a string). For details, see the documentation of the particular plugin.
entry_point string The entry point of the plugin, for example, main.py
name string The name of the plugin. This name is also displayed on the SPS web interface. It cannot contain whitespace.
path string The path where the plugin is stored on SPS.
scb_max_version string The version number of the latest SPS release that is compatible with the plugin.
scb_min_version string The version number of the earliest SPS release that is compatible with the plugin.
sha256sum string The SHA-256 checksum of the plugin.
version string The version of the plugin.
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
404 NotFound The requested object does not exist.

Credential stores

Credential Stores offer a way to store user credentials (for example, passwords, private keys, certificates) and use them to login to the target server, without the user having access to the credentials. That way, the users only have to perform gateway authentication on SPS with their usual password (or to an LDAP database), and if the user is allowed to access the target server, SPS automatically logs in using the Credential Store.

URL
GET https://<IP-address-of-SPS>/api/configuration/policies/credentialstores
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API.

Note that this session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).

Sample request

The following command lists the credential stores.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/policies/credentialstores

The following command retrieves the properties of a specific credential store.

curl --cookie cookies https://<IP-address-of-SPS>/api/policies/credentialstores/<policy-id>
Response

The following is a sample response received when listing credential stores.

For details of the meta object, see Message format.

{
  "items": [
    {
      "key": "1580973975727acedd51b2",
      "meta": {
        "href": "/api/configuration/policies/credentialstores/1580973975727acedd51b2"
      }
    },
    {
      "key": "935272738572bc2ec1dbdd",
      "meta": {
        "href": "/api/configuration/policies/credentialstores/935272738572bc2ec1dbdd"
      }
    }
  ],
  "meta": {
    "first": "/api/configuration/policies/audit_policies",
    "href": "/api/configuration/policies/credentialstores",
    "last": "/api/configuration/policies/usermapping_policies",
    "next": "/api/configuration/policies/indexing",
    "parent": "/api/configuration/policies",
    "previous": "/api/configuration/policies/content_policies",
    "transaction": "/api/transaction"
  }
}

When retrieving the endpoint of a specific credential store, the response is the following.

{
  "body": {
    "name": "API_LOCAL",
    "type": {
      "authenticator_name": "auth_server_name",
      "default_namespace": "{HOST}",
      "dns_servers": {
        "primary": "192.168.56.1",
        "secondary": "192.168.56.2"
      },
      "domain_mappings": [
        {
          "domain": "domain",
          "host": {
            "selection": "fqdn",
            "value": "host"
          }
        }
      ],
      "login_mode": {
        "password": {
          "key": "e0ecbe98-bd17-4805-ba5d-17fb789f3971",
          "meta": {
            "href": "/api/configuration/passwords/e0ecbe98-bd17-4805-ba5d-17fb789f3971"
          }
        },
        "selection": "fixed",
        "username": "fixed_username"
      },
      "proxy_server": "http://192.168.56.201:9999",
      "selection": "local",
      "server_certificate_check": {
        "enabled": true,
        "trusted_ca": {
          "key": "12269547065727ad6e79d9e",
          "meta": {
            "href": "/api/configuration/policies/trusted_ca_lists/12269547065727ad6e79d9e"
          }
        }
      },
      "web_interface_url": "http://erpm_address"
    }
  },
  "key": "935272738572bc2ec1dbdd",
  "meta": {
    "first": "/api/configuration/policies/credentialstores/1580973975727acedd51b2",
    "href": "/api/configuration/policies/credentialstores/935272738572bc2ec1dbdd",
    "last": "/api/configuration/policies/credentialstores/935272738572bc2ec1dbdd",
    "next": null,
    "parent": "/api/configuration/policies/credentialstores",
    "previous": "/api/configuration/policies/credentialstores/1580973975727acedd51b2",
    "transaction": "/api/transaction"
  }
}
Element Type Description
key string Top level element, contains the ID of the credential store.
body Top level element (string) The configuration elements of the credential store.
name string The name of the credential store. This name is also displayed on the SPS web interface. It cannot contain whitespace.
type Top level item All elements for the configured type of credential store.
authenticator_name string If your ERPM setup is configured to use an external authentication method, enter the name of the Authentication Server (Authenticator Source) set on your ERPM server. If empty, SPS uses the [Explicit] authenticator.
default_namespace string The default namespace of the accounts (for example, [Linux], [LDAP], [IPMI], W2003DOMAIN).
dns_servers Top level item The IP addresses of the DNS servers to use for resolving the hostnames provided in domain_mappings.
domain_mappings Top level list

Use for RDP connections only. In a domainless environment, use default_namespace.

encryption Top level item Configures the encryption key for the local credential store.
login_mode Top level item Configures the account SPS uses to login to the ERPM server.
plugin string

Must be used if the selection element is set to external_plugin.

References the Credential Store plugin. You can find the list of available plugins at the /api/configuration/plugins/credentialstore/ endpoint.

To modify or add a plugin, use the value of the returned key as the value of the plugin element, and remove any child elements (including the key).

Plugins can only be uploaded using the web interface of SPS.

proxy_server string The IP address and port of the proxy server. Use the http:// or https:// prefix.
selection string

Configures the type of the credential store. Possible values are:

  • local

    Local credential store. Can only be configured using the web interface of SPS.

  • external_plugin

    Credential Store Plug-in. To upload or update a plugin, see Upload a plugin.

server_certificate_chec Top level item To verify the certificate of the ERPM server, configure server_certificate_check.
web_interface_url string Name of the DN of the ERPM server. Use the http:// or https:// prefix.
Elements of dns_servers Type Description
primary string The IP address of the primary DNS server.
secondary string The IP address of the secondary DNS server.
Elements of domain_mappings Type Description
domain string The domain name used for Domain/Host mapping.
host Top level item The host name or address of the domain controller used for Domain/Host mapping.
selection string

Declares if the value element contains an IP or an FQDN. Possible values are:

  • fqdn

    The value element contains a hostname.

  • ip

    The value element contains an IP.

value string The IP address or hostname of the domain controller.
Elements of encryption Type Description
selection string

Defines the encryption of the local credential store. Possible values are:

  • basic

    The local credential store uses the built-in protection of SPS.

  • password

    The local credential store is protected by one or more passwords.

Elements of login_mode Type Description
password string

Must be used if the selection element is set to fixed_username.

References the password SPS uses to authenticate on the ERPM server. You can configure passwords at the /api/configuration/passwords/ endpoint.

To modify or add a password, use the value of the returned key as the value of the password element, and remove any child elements (including the key).

selection string

Possible values are:

  • fixed_username

    SPS uses a fix username and password.

    Requires the username and password elements.

  • gateway_auth_credentials

    SPS uses the username and password that the user provided during the gateway authentication process.

    Can only be used for SSH connections.

username string

Must be used if the selection element is set to fixed_username.

The username SPS uses to authenticate on the ERPM server.

Elements of server_certificate_check Type Description
enabled boolean Set to true to verify the ERPM server's certificate.
trusted_ca string

Must be used if server certificate checking is enabled.

References the list of trusted Certificate Authorities. You configure trusted CAs at the /api/configuration/policies/trusted_ca_lists/ endpoint.

To reference a trusted CA list, use the value of the returned key as the value of the trusted_ca element, and remove any child elements (including the key).

Example:
NOTE:

The following example is response only. Credential stores can only be configured using the web interface of SPS.

Use a credential store plugin.

{
  "name": "API_PLUGIN",
  "type": {
    "plugin": {
      "key": "2534221015734bb18aaf32",
      "meta": {
        "href": "/api/configuration/plugins/credentialstore/2534221015734bb18aaf32"
      }
    },
    "selection": "external_plugin"
  }
}
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
404 NotFound The requested object does not exist.
相关文档