RESTAPI Presentation V3 - IBM · PDF fileThe REST API – An Introduction ... [joe@osprey ~] ... Implementation Notes. 34 © 2014 IBM Corporation

© 2014 IBM Corporation

Guardium RESTapi

[email protected] Galil - [email protected]

mailto:[email protected]

mailto:[email protected]

2 © 2014 IBM Corporation2

Logistics This tech talk is being recorded. If you object, please hang up and

leave the webcast now.

We’ll post a copy of slides and link to recording on the Guardiumcommunity tech talk wiki page: http://ibm.co/Wh9x0o

You can listen to the tech talk using audiocast and ask questions inthe chat to the Q and A group.

We’ll try to answer questions in the chat or address them atspeaker’s discretion.

– If we cannot answer your question, please do include your emailso we can get back to you.

When speaker pauses for questions:– We’ll go through existing questions in the chat

http://ibm.co/Wh9x0o

3 © 2014 IBM Corporation

Reminder: Guardium Tech Talks

Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: Getting Started with InfoSphere GuardiumVulnerability Assessment

Speakers: Ian Schmidt and Louis Lam

Date &Time: Thursday, May 8th, 2014

11:30 AM Eastern Time (60 minutes)

Register here: http://bit.ly/1l9Abs3


http://bit.ly/1l9Abs3

http://bit.ly/15BqkTq


New!!! Regional user groups this year

For registration links, askyour IBM rep or visit theEvents Calendar on theInfoSphere Guardiumcommunity ondeveloperWorks.


Agenda

The REST API – An Introduction

Use Cases and Examples

–Datasource & Group

–Reports

–Groups and Policy Install

–Risk Model

Security and Operational issues


restAPI

What is REST?– A stateless architecture that runs over HTTP– REST = REpresentational State Transfer– http://en.wikipedia.org/wiki/Representational_state_transfer

Why expose information via REST?– Many newer applications use REST – Mobile, Social, applications that

automating business processes– Guardium has always tried to leverage existing infrastructure to help integrate

our products to make it easier to deploy and provide higher value for ourcustomers

How does it work?– Leverages existing technologies – HTTP, XML, etc– Unique Resource Indicators (URIs) - https://10.10.9.239:8443/restAPI/datasource

– REST has limited number of operations (GET, POST, PUT & DELETE = Verbs)

http://en.wikipedia.org/wiki/Representational_state_transfer


Guardium’s Implementation of REST1. Register Application (only once) and get Client Secret2. Store Client Secret in secure place3. Request Access Token for authorization4. Store Access Token so grdAPI command

will be authenticated properly5. Use Access Tokens to submit GrdAPI commands

ClientApplication

1. Use grdAPI to register application

Guardium Appliance

(CLI)

(HTTPS with REST)

2. Save response which contains “client secret”

3. Send request for “Access Token” with client secret

4. Save response which contains “Access Token”

5. Send grdAPI with authorized “Access Token”


Spreadsheet as a tool for restAPI


Spreadsheet as a tool for restAPI


REST with Guardium…

HTTP has a vocabulary of operations (request methods)– GET (pass parameters in the URL)– POST (pass parameters in JSON object)– PUT (pass parameters to change as JSON object)– DELETE (pass parameters as JSON object)

grdAPI’s list_datasourcename_by_name (parameters - ?name="MSSQL_1)

– -X GET https://10.10.9.239:8443/restAPI/datasource/?name="MSSQL_1"

create_datasource– -X POST https://10.10.9.239:8443/restAPI/datasource

update_datasource_by_name - JSON Object '{password:guardium}‘– -X PUT -d '{password:guardium, name:"MSSQL_1}‘

delete_datasource_by_id - JSON Object '{"id":20020}‘– -X DELETE -d '{"id":20020}‘

RestAPI vs GrdAPIGET = ListPOST = CreatePUT = UpdateDELETE = Delete


List Datasource by name

curl -k --header "Authorization:Bearer 9f8e1b10-7e6d-4803-9812-1faab5d0a094" -i -H "Content-Type: application/json" -X GEThttps://10.10.9.239:8443/restAPI/datasource/?name="MSSQL_1"

GET = list Parameters to be passed in GET request: ?name="MSSQL_1“ REST Resource: restAPI/datasource This means: show me the details of datasource name: MSSQL_1

[{

"DatasourceId":"https://G91.ibm.com:8443/restAPI/datasource?id=20021",

"DatasourceTypeId": "4","Name": "MSSQL_1","Description": "null","Host": "10.10.9.252","Port": "1433","ServiceName": "","UserName": "sa","Password": "[B@7ad07ad0","PasswordStored": "true","DbName": "null",

"LastConnect": "null","Timestamp": "2014-03-11 13:09:36.0","ApplicationId": "8","Shared": "true","ConProperty": "null","OsUsername": "null","DbHomeDir": "null","CustomUrl": "null","Severity": "5","DbDriverId": "4","CompatibilityMode": "","DatasourceType": "MS SQL SERVER","ApplicationType": "SecurityAssessment"

}]


Sample Java Code Snippet for Datasources

// Construct the URLURL url = new URL("

https://10.10.9.239:8443/restAPI/datasource/?name="MSSQL_1");

HttpsURLConnection conn = null;try {

try {// Open the connectionconn = (HttpsURLConnection)

url.openConnection();

// Set the appropriate parametersconn.setUseCaches(false);conn.setDoInput(true);conn.setDoOutput(true);// use the GET method to list the datasourceconn.setRequestMethod("GET");

// Set access Token for authorizationconn.setRequestProperty("Authorization",

"Bearer "+ accessToken);} finally {//Read the results of listing the datasourceReader in = new BufferedReader(new

InputStreamReader(conn.getInputStream(), "UTF-8"));// Get reply back from the GuardiumStringBuffer sb = new StringBuffer();for (int c; (c = in.read()) >= 0; ) {sb = sb.append((char) c);}//Done with connectionconn.disconnect();JSONresults=sb.toString();}


Create a Datasource

[joe@ocean]$ curl -k --header "Authorization:Bearer bd9278f0-c02c-4efc-b4dc-f861b7fc28e7" -i -H "Content-Type: application/json" -XPOST -d '{application:"SecurityAssessment",host:10.10.9.252,name:"MSSQL_1",owner:admin,password:guardium,port:1433,shared:"true",severity:MED,type:"MS SQLSERVER (DataDirect)",user:sa }'https://10.10.9.239:8443/restAPI/datasource

POST = Create

URI - https://10.10.9.239:8443/restAPI/datasource

Parameters: (Values)

Response ===============

{"ID": 20004,"Message": "ID=20004"

}


Create a Datasource

[joe@ocean]$ curl -k --header "Authorization:Bearer bd9278f0-c02c-4efc-b4dc-f861b7fc28e7" -i -H "Content-Type: application/json" -X POST -d'{application:"SecurityAssessment",host:10.10.9.252,name:"MSSQL_1",owner:admin,password:guardium,port:1433,shared:"true",severity:MED,type:"MS SQL SERVER (DataDirect)",user:sa }'https://10.10.9.239:8443/restAPI/datasource

HTTP/1.1 200 OKSet-Cookie: JSESSIONID=52960A56AFBC5989CDC825BCEA5EEBA4; Path=/; Secure;

HttpOnlyX-UA-Compatible: IE=edgeX-FRAME-OPTIONS: SAMEORIGINAccess-Control-Allow-Methods: POST, GET, PUT, DELETEAccess-Control-Allow-Headers: authorization, origin, X-Requested-With, Content-Type,

AcceptAccess-Control-Max-Age: 18000Content-Type: application/json;charset=UTF-8Content-Length: 43Date: Wed, 12 Mar 2014 08:23:44 GMTServer: SQL Guard

{"ID": 20004,"Message": "ID=20004"

}[joe@ocean]$


Example of creating a group through REST

[joe@osprey ~]$ curl -k --header "Authorization:Bearer 211684bf-404d-4d98-960a-5d69ed8111c5" -i -H "Content-Type: application/json" -XPOST -d '{desc:"Application DBUsers",type:USERS,appid:"Public",category:"applicationusers",classification:"PCI data",owner:"admin" }'https://10.10.9.239:8443/restAPI/group

HTTP/1.1 200 OKSet-Cookie: JSESSIONID=B7C946314283B4D4542A1FE2368D6942; Path=/; Secure; HttpOnlyContent-Type: application/json;charset=ISO-8859-1Content-Length: 36Date: Fri, 14 Mar 2014 14:28:27 GMTServer: SQL Guard

{"ID":20009,"Message":"ID=20009\n"}

Successful Executionof create group


Example of adding a member to a group through REST

[joe@osprey ~]$ curl -k --header "Authorization:Bearer 211684bf-404d-4d98-960a-5d69ed8111c5" -i -H "Content-Type: application/json" -XPOST -d '{desc:"Application DB Users",member:App10 }'https://10.10.9.239:8443/restAPI/group_member

HTTP/1.1 200 OKSet-Cookie: JSESSIONID=36ECFCEB5B3351FAC33950E96E5C79DA; Path=/; Secure; HttpOnlyContent-Type: application/json;charset=ISO-8859-1Content-Length: 40Date: Fri, 14 Mar 2014 14:29:12 GMTServer: SQL Guard

{"ID":1003225,"Message":"ID=1003225\n"}

POST on resource“group_member” = create

Successful Executionof create group member

https://10.10.9.239:8443/restAPI/group_member


List members of a group through REST

[joe@osprey ~]$ curl -k --header "Authorization:Bearer 1c2cf8e2-1e3f-496f-8e09-a5bddeefbdf9" -i -H "Content-Type: application/json" -X GEThttps://10.10.9.239:8443/restAPI/group_members_by_group_id?id=20009

HTTP/1.1 200 OKSet-Cookie: JSESSIONID=7E8023B5EF9273A39E4C5503C6DF550E; Path=/; Secure; HttpOnlyX-UA-Compatible: IE=edgeX-FRAME-OPTIONS: SAMEORIGINAccess-Control-Allow-Methods: POST, GET, PUT, DELETEAccess-Control-Allow-Headers: authorization, origin, X-Requested-With, Content-Type, AcceptAccess-Control-Max-Age: 18000Content-Type: application/json;charset=UTF-8Content-Length: 220Date: Fri, 14 Mar 2014 20:46:11 GMTServer: SQL Guard

[{

"group_id": 20000,"group_description": "https://G91:8443/restAPI/group?desc=Application DB Users","group_members": [

{"member": "App10"

}]

}]

GET on resource“group_members_by_group_id” = list

Successful executionlisting members of group

In JSON format


How to Get Help –

curl -k --header "Authorization:Bearer 1c2cf8e2-1e3f-496f-8e09-a5bddeefbdf9" -i -H "Content-Type: application/json" -X GEThttps://10.10.9.239:8443/restAPI/restapi

https://1010.9.239:8443/restAPI/restapi?resourceId=14

[joe@osprey ~]$ curl -k --header "Authorization:Bearer 1c2cf8e2-1e3f-496f-8e09-a5bddeefbdf9" -i -H"Content-Type: application/json" -X GET https://9.70.148.214:8443/restAPI/restapi?resourceId=14

[{"parameterName": "desc","parameterType": "java.lang.String","isRequired": true

},{"parameterName": "member","parameterType": "java.lang.String","isRequired": true

},{"parameterName": "api_target_host","parameterType": "java.lang.String","isRequired": false

}]


How to Get Help – Update Datasourcehttps://1010.9.239:8443/restAPI/restapi?resourceId=4

[root@q]# curl -k --header "Authorization:Bearer bd9278f0-c02c-4efc-b4dc-f861b7fc28e7"https://9.70.148.214:8443/restAPI/restapi?resourceId=4

[{

"parameterName": "name","parameterType": "java.lang.String","isRequired": true

},{

"parameterName": "newName","parameterType": "java.lang.String","isRequired": false

},{

"parameterName": "description","parameterType": "java.lang.String","isRequired": false

},{

"parameterName": "port","parameterType": "java.lang.Integer","isRequired": false

},{

"parameterName": "serviceName","parameterType": "java.lang.String","isRequired": false

},{

"parameterName": "user","parameterType": "java.lang.String","isRequired": false

},{

"parameterName": "password","parameterType": "java.lang.String","isRequired": false

},{

"parameterName": "dbName","parameterType": "java.lang.String","isRequired": false

},

{"parameterName": "conProperty","parameterType": "java.lang.String","isRequired": false

},{

"parameterName": "dbInstanceDirectory","parameterType": "java.lang.String","isRequired": false

},{

"parameterName": "dbInstanceAccount","parameterType": "java.lang.String","isRequired": false

},{

"parameterName": "shared","parameterType": "java.lang.String","isRequired": false

},{

"parameterName": "customURL","parameterType": "java.lang.String","isRequired": false

},{

"parameterName": "severity","parameterType": "java.lang.String","isRequired": false

},{

"parameterName": "api_target_host","parameterType": "java.lang.String","isRequired": false

}]


CustomApp

Audit Data Report forChanges to server IP

Rest API’s

Server IP &Authorized email

address

GrdAPI - to send applicationowner an email with report ofaudit data for their server IP

address

Applicationowner specifies

IP Address oftheir system

-- - - - - -- - - - - -- -- -- - - -

Integrate with Existing Business Processes

•Existing customer system needs to correlate “some”Guardium information or trigger a process within Guardium•Need an “industry” standard way to interact with Guardium(restAPI)

Note:Guardium has tremendous automation in theexisting GUI and tools.


Use Cases

Configuration Datasources Groups Reports Policies Server Risk


Configuration

Store these in a safe place!!!Guy will discuss in more details


DataSources


Groups


List Group Members


Reports

Use for getting “small” reports Submit audit process for large/bulk reports Good to integrate with other systems that need small information

without access to the GUI


Failed Login Report


Integrate with Application Team

Show groups Update groups Show report Email report


Policy and Groups

Update groups Install policies


Server Risk


Server Risk…


Integration With Other Dashboards


Implementation Considerations - Guy

Security API and GUI considerations Roles and Permissions Implementation Notes


Every Application Needs Good Security

Security – REST API security is multi-tiered:

– Communication must be secured with SSL toprevent access to access token or client secreton the wire

– The client secret must be secured. Anyone whohas the client key can use it to generate tokensand then execute api requests.

– Token generation requires a valid Guardiumuser/password.

• On each API request the permissions of the userassociated with the token are evaluated to verifythe user is allowed to execute the specificfunction.


API functions are linked to Guardium modules/applications andspecified to roles the same way GUI modules are.

Roles and Permissions


Policy Installation couldbe a different role than“admin” Good separation of

duties is available


Implementation Notes

Consider the REST API when:– You want to do online system integration.

• External system trigger something in Guardium interactively

– You want to develop programs for specific use cases• Clients can be developed in the language of your choice• Generic programs like the one shown on this presentation are good to

demonstrate capabilities but are not a real implementation of theinterface.

– You want to do interactive system integration (not batchprocessing)

Do not use the REST API:– To rewrite Guardium functionality.

• If you can do it inside Guardium you should not do it throughREST API.

– For mass data offload• If you need to export high volumes of data to external systems don't

use REST API.


Information, training, and community

Use the IBM InfoSphere Guardium REST API – developerWorks article InfoSphere Guardium YouTube Channel – includes overviews and

technical demos InfoSphere Guardium newsletter developerWorks forum (very active)Guardium DAM User Group on Linked-In (very active) Community on developerWorks (includes content and links to a

myriad of sources, articles, etc)Guardium Info Center

InfoSphere Guardium Virtual User Group.Open, technical discussions with other users.

Send a note to [email protected] ifinterested.

http://www.ibm.com/developerworks/data/library/techarticle/dm-1404guardrestapi/index.html

http://www.youtube.com/user/InfoSphereGuardium

https://www-148.ibm.com/bin/subscriptions/walk_small_steps.cgi?cl=USEN&nid=11366

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=2648&start=0

http://www.linkedin.com/groups/IBM-Guardium-Database-DB-Activity-3746392

https://www.ibm.com/developerworks/mydeveloperworks/groups/service/html/communityview?communityUuid=432a9382-b250-4e55-98d7-8e9ee6cbf90e

http://publib.boulder.ibm.com/infocenter/igsec/v1/index.jsp


Reminder: Guardium Tech Talks

Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: Getting Started with InfoSphere GuardiumVulnerability Assessment

Speakers: Ian Schmidt and Louis Lam

Date &Time: Thursday, May 8th, 2014

11:30 AM Eastern Time (60 minutes)

Register here: http://bit.ly/1l9Abs3


http://bit.ly/1l9Abs3

http://bit.ly/15BqkTq

40 © 2014 IBM Corporation40

GraciasMerci

Grazie

ObrigadoDanke

Japanese

French

Russian

German

Italian

Spanish

Brazilian Portuguese

Arabic

Traditional Chinese

Simplified Chinese

Thai

TackSwedish

Danke

DziękujęPolish



RestAPI

Ability to programmatically access grdAPI’s Allows for easier integration with new technologies in the market Example use case:

– I want the ability to dynamically get a small amount of audit data for a certain IPaddress without having to login to the Guardium GUI

– I want to populate an existing group, so I can updated my policy to preventunauthorized access to sensitive information for users that have left thecompany

– I want to get a list of all users within a certain authorized access group– I want my application development team to help identify what sensitive tables to

monitor– I want to script access to grdAPI’s without using “expect” scripting language

which requires me to code response text from the target system


RestAPI Overview

Registering as a client application with Guardium authorizationserver.

Request an access token with the client credentials, using the clientsecret we got from the previous phase.

Create a report with Server IP address using run time parameter Create an adhoc audit process with a report (grdAPI)

– grdapi create_ad_hoc_audit_and_run_once reportId=183isForReportRunOnce=true changeParIfExist=truetaskParameter="QUERY_FROM_DATE=2012-10-2300:00:00^^QUERY_TO_DATE=2013-11-2200:00:00^^HostnameLike=%^^SHOW_ALIASES=TRUE^^REMOTE_SOURCE=" processNamePar=joe1 [email protected]=1 includeUserReceiver=false api_target_host=< >

– Other details• How do you identify the report id (183)?• How do you look at the audit processes(joe1)?• Configuring the SMTP Gateway to email the report(to email to [email protected])


RestAPI Overview Datasources

Registering as a client application with Guardium authorizationserver.

Request an access token with the client credentials, using the clientsecret we got from the previous phase.

Add a datasource Remove a datasource

The Guardium administrator must use a local CLI-authenticated session to generate a clientsecret for the client application. The client secret is then used by the client application togenerate an access token associated with a valid Guardium user. An access token can berevoked using the revokeOauthToken API function. A client id can be revoked (invalidating allactive tokens) using the revokeOauthClient API functions. The access token has an expirationage assigned (current default is 3 hours). Subsequent API calls must specify the token and willhave the permissions as granted to the user associated with the token. Any requests after thetoken expires will fail and the client application must generate a new token.API functions getOAuthTokenExpirationTime and setOAuthTokenExpirationTime can be usedto display and modify the token expiration duration, this setting is global and affects all tokens.These API functions are not exposed as REST APIs and can be invoked only through anauthenticated cli session by a user with admin role.


RestAPI Overview for Datasources

Add a datasource with Rest APIThe syntax for all of the grdApi’s is to put all the parameters of the function after the “-d”. Here’s an example of how to add a datasource which takes parameters like:application, host, name, owner, password, etc

Request:

curl -k --header "Authorization:Bearer 80cdcfa3-e02e-4bd6-829a-6b656beaa90a" -i -H "Content-Type: application/json" -X POST-d '{application:"SecurityAssessment",host:10.10.9.252,name:"MSSQL252",owner:admin,password:"1qaz!QAZ",port:1433,shared:true,severity:MED,type:"MS SQL SERVER (DataDirect)",user:sa}'https://10.10.9.248:8443/restAPI/datasource

Response:HTTP/1.1 200 OKSet-Cookie: JSESSIONID=8C90021B43CCAF324FD72D498B0D4C93; Path=/; Secure; HttpOnlyContent-Type: application/json;charset=ISO-8859-1Content-Length: 36Date: Fri, 01 Nov 2013 23:59:38 GMTServer: SQL Guard

{"ID":20007,"Message":"ID=20007\n"}This means the datasource was added successfully, and the ID for the datasource is 20007


Delete a datasource by ID=2007 with Rest API

Notice the “-X DELETE” section below in the command vs the POST in the previous command to create thedatasource.

Request:

curl -k --header "Authorization:Bearer 80cdcfa3-e02e-4bd6-829a-6b656beaa90a" -i -H "Content-Type: application/json" -X DELETE -d '{id:20007}'https://10.10.9.248:8443/restAPI/delete_datasource_by_id

Response:HTTP/1.1 200 OKSet-Cookie: JSESSIONID=354039539B475B50EBBFD00892A2F66A; Path=/; Secure; HttpOnlyContent-Type: application/json;charset=ISO-8859-1Content-Length: 36Date: Sat, 02 Nov 2013 00:09:27 GMTServer: SQL Guard

{"ID":20007,"Message":"ID=20007\n"}The message, {"ID":20007,"Message":"ID=20007\n"}, means it was successful


Thank You

Documents

RESTAPI Presentation V3 - IBM · PDF fileThe REST API – An Introduction ... [joe@osprey ~] ... Implementation Notes. 34 © 2014 IBM Corporation