ibm security secret server apis support webinar grey thrasher
Post on 23-Nov-2021
7 Views
Preview:
TRANSCRIPT
IBM Security Secret Server APIs—Support Webinar
Grey Thrashergthrashe@us.ibm.com
IBM VIP Rewards is a way to engage with and recognize the ways that you, the client, add value to IBM.
Complete fun challenges and get rewarded for interacting with IBM, learning new technologies and sharing your knowledge.
Announcing IBM VIP RewardsEngage. Earn points. Get Rewards.
Learn more…ibm.biz/vip-rewards
Join IBM VIP Rewards for Security…
ibm.biz/JoinIBMVIPRewards-Security
IBM Security Learning Academy
• Courses• Videos • Hands-on Labs • Live Events• Badges
Learning at no cost.
New content published daily.
http://ibm.biz/ISSS-LearningAcademy
• Presenter:
Grey Thrasher - Identity Support Technical Lead
• Panelists:
Daryl Romano - Identity Support
Jensen Toma - Identity Support
Gary Sedler - Identity Support
Mohammad Khan - Identity Support
Panel
• Introduction• REST• SDK• Demo• Q/A
Agenda
Introduction
Introduction• API: Application Programming Interface
- Provides a way for customers/vendors to create custom scripts/applications/etc that can interact with an application.
• IBM Security Secret Server API Options:
- Java, SOAP, REST, SDK
• Objects/Activities available in the APIs:- Authentication- Secrets- Folders- Users- Reports- Launchers…
IntroductionWeb Services must be enabled in ISSS
REST
• Overview• Coding• Troubleshooting• Documentation
What is REST?
REpresentational State Transfer
• Every Service is identified by a URI• Uses standard HTTP methods for CRUD:
• POST• GET• PUT• DELETE
• Stateless: Each request is independent• Request Data is typically JSON,
x-www-form-urlencoded and/or query parameters• Response Data is typically JSON
😴
Coding/Usage:• Authentication: returns Token to be used in all other requests
POST: https://ss/SecretServer/oauth2/tokenHeaders: Content-Type: application/x-www-form-urlencodedBody: username, password, grant_type=password
• Get Secret:
GET: https://ss/SecretServer/api/v1/secrets/<secretID>Authorization: Bearer <token>Headers: Accept: application/json
• Add Secret Permission:
POST: https://ss/SecretServer/api/v1/secrets-permissionsAuthorization: Bearer <token>Headers:
Accept: application/jsonContent-Type: application/json
Body:{
“secretId” : 15,“userId” : 12,“secretAccessId” : null,“secretAccessName” : “View”
}
{"id": 12,"name": "SDK Test","secretTemplateId": 2,"folderId": 7,"active": true,"items": [{"itemId": 53,"fileAttachmentId": null,"filename": null,"itemValue": "fooserver","fieldId": 60,"fieldName": "Resource","slug": "resource","fieldDescription": "The URL or location where information is being secured.","isFile": false,"isNotes": false,"isPassword": false},{"itemId": 54,"fileAttachmentId": null,"filename": null,"itemValue": "sdktest","fieldId": 61,"fieldName": "Username","slug": "username","fieldDescription": "The name assocated with the password.","isFile": false,"isNotes": false,"isPassword": false},{"itemId": 55,"fileAttachmentId": null,"filename": null,"itemValue": "#5r5^(h^jLzK","fieldId": 7,"fieldName": "Password","slug": "password","fieldDescription": "The password used to access information.","isFile": false,"isNotes": false,"isPassword": true},{"itemId": 56,"fileAttachmentId": null,"filename": null,"itemValue": "This is a test secret to use with SDK","fieldId": 8,"fieldName": "Notes","slug": "notes","fieldDescription": "Any comments or additional information for the secret.","isFile": false,"isNotes": true,"isPassword": false}],"launcherConnectAsSecretId": -1,"checkOutMinutesRemaining": 0,"checkedOut": false,"checkOutUserDisplayName": "","checkOutUserId": -1,"isRestricted": false,"isOutOfSync": false,"outOfSyncReason": "","autoChangeEnabled": false,"autoChangeNextPassword": null,"requiresApprovalForAccess": false,"requiresComment": false,"checkOutEnabled": false,"checkOutIntervalMinutes": -1,"checkOutChangePasswordEnabled": false,"accessRequestWorkflowMapId": -1,"proxyEnabled": true,"sessionRecordingEnabled": false,"restrictSshCommands": false,"allowOwnersUnrestrictedSshCommands": false,"isDoubleLock": false,"doubleLockId": -1,"enableInheritPermissions": false,"passwordTypeWebScriptId": -1,"siteId": 1,"enableInheritSecretPolicy": true,"secretPolicyId": -1,"lastHeartBeatStatus": "Pending","lastHeartBeatCheck": "0001-01-01T00:00:00","failedPasswordChangeAttempts": 0,"lastPasswordChangeAttempt": "0001-01-01T00:00:00","secretTemplateName": "Password","responseCodes": []}
{"access_token": "AgLlj_5QYUil….","token_type": "bearer","expires_in": 1200}
Coding: Node.js var express = require('express');var request = require('request');var router = express.Router();
router.post('/', (req, res) => {console.log("login.js: in login...");
var username = req.body.username;var password = req.body.password;
//auth to SSconst options = {
method: "POST",url: process.env.SS_URL + "/oauth2/token",headers: {
'cache-control': 'no-cache’,'Content-Type': 'application/x-www-form-urlencoded’
},form: {username: username,password: password,grant_type: 'password’}
};
//trust self-signed certprocess.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
request(options, (error, response, body) => {if(error){
throw new Error(error);res.send("Login failed: " + error);
} else {const jsonBody = JSON.parse(body);console.log(JSON.stringify(jsonBody));if(jsonBody.hasOwnProperty("error")){
console.log("login error: " + jsonBody.error);res.send('<p><strong>Login Failed...please try again: </strong><a href="/">Login</a></p>’);
} else {req.session.sstoken = jsonBody.access_token;console.log("login.js: login success. here's the token: " + jsonBody.access_token);req.session.save();res.redirect('./menu’);
}}
});});
module.exports = router;
Define the data for the call to /oauth2/token to authenticate
Execute the call to /oauth2/token to authenticate and save the Token to the Session
Authentication
Coding: Node.js
Define the data for the pass to /api/v1/secrets
Execute the call to /api/v1/secrets to retrieve all Secrets and pass to the client
Get Secrets var express = require('express');var request = require('request');var router = express.Router();
router.get('/', (req, res) => {
//auth to SSconst options = {method: "GET",url: process.env.SS_URL + "/api/v1/secrets",headers: {
'cache-control': 'no-cache’,'Accept': 'application/json’,'Authorization': 'Bearer ' + req.session.sstoken}
};
//trust self-signed certprocess.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
request(options, (error, response, body) => {if(error){
throw new Error(error);res.send("Login failed: " + error);
} else {const jsonBody = JSON.parse(body);console.log("JSON Body from menu.js: " + body);res.render('./menu',{app_title: process.env.APP_TITLE, secrets: jsonBody.records, ssurl: process.env.SS_URL});
}});
});
module.exports = router;
Troubleshooting
• Server:
• IIS (C:\inetpub\logs\) and SS logs (C:\inetpub\wwwroot\SecretServer\log\)
• Audit logs for associated Object (e.g. Secret > Audit)
• Client:
• Catch/Print errors
Documentation
• REST APIs: Can access docs locally via SS console > Help > Secret Server REST API Guide:example: https://<SecretServer>/SecretServer/Documents/restapi/
• REST Web Services API Guide:https://www.ibm.com/support/pages/node/1136272
• Getting Started with the REST API –• PowerShell:
https://www.ibm.com/support/pages/node/1136266• Perl:• https://www.ibm.com/support/pages/node/1136260
SDK (tss)
• Overview• Coding• Troubleshooting• Documentation
What is the SDK?
• Command line utility to Get Secret data• Does not require username/password at runtime• Uses “Application Users”• Does not provide full API capabilities (e.g. cannot get Folders, etc).• Can be used by applications to retrieve auth token to then make
direct API calls
SDK Configuration
• Create Application User:- Admin > Users > Create New- Enter details, and click ”Advanced”- Select the “Application Account”- Save
• Admin > All > SDK Client Management- Client Onboarding > “+Rule”- Enter:
• Rule Name• IP Address(es) or CIDR notation• Select the Application Account• Require this generated onboarding key
- Save
SDK Usage• Initialization:
tss init –u https://ss/SecretServer -r <rulename> -k <onboarding key>
• Status:tss status
• Remove configuration:tss remove
• Retrieve Token:tss token
• Get Secret:tss secret –s <secretID> -f <field slug> -o <output file> -ad
• Version:tss version
SDK Usage
./tss secret -s 12 –ad
{"resource":"fooserver","username":"sdktest","password":"#5r5^(h^jLzK","notes":"This is a test secret to use with SDK"}
./tss secret -s 12 -f notes
This is a test secret to use with SDK
SDK Usage (in a Python script)
import subprocessimport jsonsecret = None
secret = subprocess.check_output([”./tss secret -s 12 -ad"],shell=True)jsonSec = json.loads(secret)
print(jsonSec["username"])print(jsonSec["password"])
python sdkTest.pysdktest#5r5^(h^jLzK
Troubleshooting
• Server:
• IIS (C:\inetpub\logs\) and SS logs (C:\inetpub\wwwroot\SecretServer\log\)
• Admin > SDK Client Mgmt > Audit
• Client:
• -v | --verbose: output verbose errors.
• -i | --interactive: prompts for data entry (in case command syntax is in question)
Documentation
• SDK Scripting Tool Usage:https://www.ibm.com/support/pages/sdk-ibm-security-secret-server-scripting-tool-devops-%E2%80%93-guide-use
• SDK Client Downloads:https://www.ibm.com/support/pages/sdk-secret-server-scripting-tool-devops
Demo
• REST- cURL- Postman- Node.js
• SDK (tss)- Initialize- Get Secrets
• Combining SDK and REST
Demo / Hands-on• cURL- Get Auth Token
curl -k -H "Accept: application/json" –H “Content-Type: x-www-forms-urlencoded” -d "username=admin&password=test&grant_type=password" -X POST https://ss/SecretServer/oauth2/token
- Get Secret Datacurl -k -H "Accept: application/json" -H "Authorization: Bearer AgLlj_5QYUilF6-sclepH…" https://ss/SecretServer/api/v1/secrets/12
• Postman- Download/install Postman ( https://getpostman.com )- Create an Environment- Create a Collection- Get Auth Token- Get Secret Data
• Node.js
Examples
• GitHub:https://github.com/gthrasher/SecretServer
• Applications/Scripts can leverage IBM Security Secret Server (ISSS) APIs
• ISSS REST APIs are portable/powerful
• ISSS SDK is great for automation
Summary
Questions for the panel
Ask the panelists a question now
Enter your question in the Q&A area
To ask a question after this presentation:
You are encouraged to ask follow-up questions in the Support forums: https://www.ibm.com/mysupport/s/forumshome
IBM Secret Server Support forum:http://ibm.biz/SecretServer-SupportForum
28
For more information• IBM Secret Server Support Forum: http://ibm.biz/SecretServer-SupportForum• IBM Secret Server Security Learning Academy: http://ibm.biz/ISSS-LearningAcademy
• IBM Knowledge Center for IBM Secret Server: https://www.ibm.com/support/knowledgecenter/SSWHLP
• IBM Secret Server Support: https://ibm.biz/SecretServerSupportUseful links:
Get started with IBM Security Support IBM SupportSign up for My Notifications IBM Security Community
Follow us:
www.youtube.com/user/IBMSecuritySupport twitter.com/askibmsecurity http://ibm.biz/ISCS-LinkedIn
29
© Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.All names and references for organizations and other business institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental.Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
Follow us:
securitylearningacademy.com
ibm.biz/JoinIBMVIPRewards-Security
youtube/user/IBMSecuritySupport
@AskIBMSecurity
ibm.biz/IBMSecurityClientSuccess-LinkedIn
securityintelligence.com
xforce.ibmcloud.com
ibm.com/security/community
Thank you
top related